On September twenty sixth, 2024, particulars have been launched about a number of vulnerabilities within the Widespread Unix Printing System (CUPS) package deal. A complete of 4 CVE’s (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177) have been launched, affecting many Unix and Linux distributions. Three of the vulnerabilities are rated Excessive, whereas one is rated Essential. If left unpatched, a distant attacker is ready to execute arbitrary instructions on the affected system.
Under we analyze the potential affect of the 4 used collectively, the right way to detect them with Falco, and mitigation steps you’ll be able to take.
Evaluation
The method being exploited right here is “cups-browsed”, which is used for printer discovery and accessibility. By default, it’s listed on UDP port 631 and is open to the world. No authentication is required to work together with this service remotely. In response to the researcher, a pair hundred thousand techniques had this port open to the web and the “cups-browsed” daemon responded.
The 4 vulnerabilities concerned are used collectively to realize distant code exploitation in weak CUPS installs.
- CVE-2024-47176 is in reference to “cups-browsed” having port 631 being open and permitting unauthenticated entry.
- CVE-2024-47076 permits the exploit to move knowledge with none validation or sanitization.
- CVE-2024-47175 permits the exploit to proceed additional as it’s one other validation and sanitization situation.
- CVE-2024-47177 permits the execution of the information which has been handed utilizing the earlier vulnerabilities utilizing the “foomatic-rip” course of.
In apply, this exploit solely requires an attacker to ship a UDP packet with a URL to a system which the attacker controls. From there, the attacker has a listener ready and might begin the exploit chain as soon as a weak system connects. Lastly, they’ll execute arbitrary instructions because the “foomatic-rip” course of and proceed with their post-exploitation targets.
Detection
This exploit will be detected by searching for the “foomatic-rip” course of executing instructions, as this isn’t regular habits. Alternatively, if CUPS shouldn’t be operating in your setting, searching for any course of listening on UDP port 631 is an possibility. Sysdig Safe detects an in depth quantity of post-exploitation actions out-of-the field however these guidelines will present extra visibility.
Falco may also be used to detect this exploit with the next guidelines:
The next rule is out there routinely to Sysdig Safe prospects within the Sysdig Runtime Menace Detection coverage.
- rule: Attainable Arbitrary Command Execution by means of CUPS (CVE-2024-47177)
desc: The footmatic-rip course of was seen executing widespread shell packages which can point out that an attacker has exploited CVE-2024-47177. Be sure that this is predicted habits and CUPS has been patched for this vulnerability.
situation: spawned_process and shell_procs and proc.pname="foomatic-rip"
exceptions:
- title: proc_name_pname
fields: [proc.name, proc.pname]
comps: [in, in]
output: The method %proc.pname was seen executing the shell %proc.title with cmdline %proc.cmdline which can point out arbitrary command execution by means of the CUPS vulnerability CVE-2024-47177. (proc.exepath=%proc.exepath proc.cmdline=%proc.cmdline person.title=%person.title picture=%container.picture.repository:%container.picture.tag proc.pcmdline=%proc.pcmdline container.id=%container.id container.title=%container.title)
precedence: CRITICAL
tags: [host, container, MITRE]
Code language: JavaScript (javascript)
The next rule is out there routinely to Sysdig Safe prospects within the Sysdig Runtime Notable Occasions coverage.
- rule: Suspicious cups-browsed course of listening on UDP (CVE-2024-47176)
desc: The cups-browsed course of was seen listening for incoming connections on port 631. This will point out that it's weak to CVE-2024-47176. Be sure that that is anticipated habits and the method has been patched.
situation: evt.sort=bind and evt.dir=< and fd.l4proto=udp and fd.port=631 and proc.title="cups-browsed"
exceptions:
- title: proc_name_proc_pname
fields: [proc.name, proc.pname]
comps: [in, in]
output: Course of %proc.title is listening on port %fd.cport utilizing the %fd.l4proto protocol which might point out it is weak to CVE-2024-47176. (proc.title=%proc.title proc.pname=%proc.pname fd.title=%fd.title proc.cmdline=%proc.cmdline proc.pcmdline=%proc.pcmdline container.id=%container.id evt.sort=%evt.sort evt.res=%evt.res proc.pid=%proc.pid proc.exepath=%proc.exepath container.title=%container.title picture=%container.picture.repository)
precedence: INFO
tags: [host, container, MITRE]
Code language: HTML, XML (xml)
Mitigation
The vulnerability administration course of ought to be engaged instantly to make sure CUPS isn’t operating within the setting. Distributors, comparable to Ubuntu and RedHat, have already launched patches for his or her distributions.
For extra tactical mitigations, providers will be shut down and firewall guidelines can be utilized to forestall entry to the weak providers. Latio Tech has a lot of recommendations for the right way to implement these mitigations.
If you’re a Sysdig Safe buyer, the platform provides a number of choices for the right way to reply if one of many above guidelines is triggered. “Kill Process” can be utilized to terminate the shell that the attacker launches. Or for a extra full response in a containerized setting, “Kill Container” can be utilized to remove your entire workload. For deep forensic evaluation, a syscall seize will be taken routinely.
Conclusion
Whereas CUPS isn’t probably for use inside a cloud setting, it does come enabled from sure distributors and could also be energetic with out the group’s data. Having a strong vulnerability administration system that features a list will allow visibility to find these weak software program packages. So as to defend your techniques whereas rolling out patches, real-time risk detection and response will allow you to react to any incidents and routinely reply to them.