How to Safeguard Your Systems from Linux CUPS Vulnerabilities

On September 23rd, a security researcher named Simone Margaritelli (evilSocket on X) disclosed 4 vulnerabilities in OpenPrinting Common Unix Printing System (CUPS), a modular printing system for Unix-like operating systems that enables users to manage printers and print jobs. Due to an inadequate response from the developers following the responsible disclosure process, Margaritelli decided to publish the vulnerabilities publicly.

Worryingly, the newly uncovered vulnerabilities can be leveraged to form an exploit chain, allowing an attacker to establish a malicious, counterfeit printing device on a network-exposed Linux system running CUPS, which would trigger remote code execution upon the submission of a print job, as noted in his public disclosure writeup:

Vulnerabilities’ Seriousness

The four CVEs received CVSS scores ranging from high to critical. Specifically:

• CVE-2024-74176: 8.4 (high)
• CVE-2024-47076 and CVE-2024-47175: 8.6 (high)
• CVE-2024-47177: 9.0 (critical)

The Exploit Prediction Scoring System (EPSS) has assigned an exploit likelihood score for the vulnerabilities ranging from 4% to 6% (With CVE-2024-74176 getting 0.06 and the others 0.04).

Who is affected by these vulnerabilities?

While not an exhaustive list, the researcher pointed out that the four vulnerabilities affect most Linux distributions: some BSD, Oracle Solaris, and Chromium/ChromeOS. Margaritelli said in his disclosure that an internet scan had yielded hundreds of thousands of vulnerable devices. That said, it is unlikely that these vulnerabilities will be exploited in their current form in cloud environments as it is uncommon for cloud workloads to have printing jobs sent to them and port 631 is usually closed by default. However, due to the high severity of these vulnerabilities, all affected workloads should be patched or at least monitored to prevent potential future exploitation.

Immediate Mitigation and Remediation:

• Update and patch vulnerable systems; cups –browsed > 2.0.1, libcupsfilters > 2.1b1, libppd > 2.1b1 cups-filters > 2.0.1.
• Disable all cup-browsed service if it is not needed.
• If the steps above are not possible, block all traffic to port 631 (default configuration) and DNS-SD if possible.

Importantly, Margaritelli urges vigilance on the part of security practitioners, as more related vulnerabilities are under a responsible disclosure process. Additionally, the current vulnerabilities have working and publicly available PoCs.

At Check Point we always have you covered, our CNAPP protection solution, CloudGuard, has been able to detect the newly published vulnerabilities in your cloud workloads since their disclosure, as seen in the screenshots below:

CVE-2024-47175

CVE-2024-47176

Please note that a CVE’s severity may vary in different ecosystems. To that end, Check Point CloudGuard offers the “Workload Vulnerability Defaults 2.0” ruleset, which can be applied to Kubernetes, Azure, AWS, and other environments and provide accurate finding assessments for these vulnerabilities.

To find potential CUPS vulnerability ingress risks, consider the following GSL queries

AWS

SecurityGroup should not have inboundRules contain [ scope='0.0.0.0/0' and protocol in('UDP','ALL') and port<=631 and portTo>=631 ]

Azure

NetworkSecurityGroup should not have inboundSecurityRules contain [ action='ALLOW' and protocol in('UDP','All') and sourceAddressPrefixes contain [ $='0.0.0.0/0' ] and destinationPortRanges contain [ destinationPort<=631 and destinationPortTo>=631 ] ]

GCP

GcpSecurityGroup should not have inboundRules contain [ enabled='true' and action='ALLOW' and source='0.0.0.0/0' and protocol='UDP' and destinationPort<=631 and destinationPortTo>=631 ]

Check Point CloudGuard Detections 

Toxic Combinations Detection 

The new vulnerabilities are included in CloudGuard’s Toxic Combinations rules, providing a better understanding of your cloud environment’s exposure to the risk these vulnerabilities might pose to your environment. 

• Cups-browsed Vulnerability (CVE-2024-47176) was detected on a virtual machine exposed to the public internet 

• Cups-browsed Vulnerability (CVE-2024-47176) was detected on a container workload exposed to the public internet 

• Libcupsfilters vulnerability (CVE-2024-47076) was detected on a virtual machine exposed to the public internet 

• Libcupsfilters vulnerability (CVE-2024-47076) was detected on a container workload exposed to the public internet 

• Libppd Vulnerability (CVE-2024-47175) was detected on a virtual machine exposed to the public internet 

• Libppd Vulnerability (CVE-2024-47175) was detected on a container workload exposed to the public internet 

• Cups-filters Vulnerability (CVE-2024-47177) was detected on a virtual machine exposed to the public internet 

• Cups-filters Vulnerability (CVE-2024-47177) was detected on a container workload exposed to the public internet 

CloudGuard Network Security (CGNS) Detection 

In case of attempts to exploit this vulnerability, CloudGuard Network Security will provide additional information in the Protection Log containing the following information: 

• Attack Name:  Application Servers Protection Violation. 

• Attack Information:  CUPS cups-browsed Remote Code Execution (CVE-2024-47176) 

For more information, please refer to: CUPS cups-browsed Remote Code Execution (CVE-2024-47176)