CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
28.0%
A critical** set of unauthenticated Remote Code Execution (RCE) vulnerabilities in CUPS,**affecting all GNU/Linux systems and potentially others, was disclosed today. These vulnerabilities allow a remote attacker to execute arbitrary code on a target system without valid credentials or prior access. Major organizations like Canonical and Red Hat have confirmed this flaw, assigning it a high severity with a CVSS score of 9.9 out of 10.
Based on the Qualys Threat Research Unitβs analysis, there are more than 75k publicly exposed assets. A huge majority of these assets were found on the default IPP port 631. Of these, more than 42k publicly exposed assets accept unauthenticated connections.
The Qualys research team is closely tracking the vulnerability and will release QIDs to detect these vulnerabilities later this evening Pacific time.
CUPS (Common Unix Printing System) is the standard printing system for many Unix-like operating systems, such as GNU/Linux distributions and macOS. While it's commonly included, CUPS may not be enabled by default on all systems, such as Red Hat. When activated, it allows a computer to function as a print server, managing print jobs and queues and supporting network printing through the Internet Printing Protocol (IPP).
Here are the affected versions:
CVE-2024-47176: cups-browsed β€ 2.0.1
CVE-2024-47076: libcupsfilters β€ 2.1b1
CVE-2024-47175: libppd β€ 2.1b1
CVE-2024-47177: cups-filters β€ 2.0.1
The vulnerabilities in CUPS involve multiple components of the CUPS printing system:
The CVE-2024-47176 vulnerability in cups-browsed versions is widely deployed across various UNIX systems, including GNU/Linux distributions, select BSDs, potentially Oracle Solaris, and Google Chromium/ChromeOS. The implementation of this component varies, with it being enabled by default in some instances and not in others.
These vulnerabilities enable a remote unauthenticated attacker to replace existing printers' IPP URLs with malicious ones silently. Consequently, arbitrary command execution can occur on the affected computer when a print job is initiated. An attacker can send a specially crafted UDP packet to port 631 over the public Internet, exploiting the vulnerabilities without any authentication. On the local network, an attacker can spoof zeroconf, mDNS, or DNS-SD advertisements to achieve the same exploit path, leading to remote code execution.
Exploitation involves sending a malicious UDP packet to port 631 on the target, directing it to an attacker-controlled IPP server. The system's cups-browsed service then connects back, fetching printer attributes, which include malicious PPD directives. When a print job starts, these directives execute, allowing the attacker's code to run on the target system.
Recommended actions for enterprises are to assess the exposure risk of CUPS systems. Limit network access, deactivate non-essential services, and implement strict access controls. Prepare for quick patching as soon as a patch is available, and thoroughly test patches to prevent service interruptions.
The Qualys Threat Research Unit is releasing the QIDs in the table below to identify assets affected by this vulnerability.
QID | Title | Version | Supported On |
---|---|---|---|
380563 | CUPS Browsed - Remote Code Execution (RCE) Vulnerability | VULNSIGS-2.6.151-3 | Scanner + Agent + CS Sensor |
6021331 | Ubuntu Security Notification for libppd Vulnerability (USN-7045-1) | VULNSIGS-2.6.151-3 | Scanner + Agent + CS Sensor |
6021330 | Ubuntu Security Notification for CUPS Vulnerability (USN-7041-1) | VULNSIGS-2.6.151-3 | Scanner + Agent + CS Sensor |
6021329 | Ubuntu Security Notification for libcupsfilters Vulnerability (USN-7044-1) | VULNSIGS-2.6.151-3 | Scanner + Agent + CS Sensor |
6021328 | Ubuntu Security Notification for cups-filters Vulnerabilities (USN-7043-1) | VULNSIGS-2.6.151-3 | Scanner + Agent + CS Sensor |
6021327 | Ubuntu Security Notification for cups-browsed Vulnerability (USN-7042-1) | VULNSIGS-2.6.151-3 | Scanner + Agent + CS Sensor |
The initial and crucial step in managing this critical vulnerability and mitigating associated risks involves pinpointing all assets susceptible to this specific issue. Use CSAM 3.0 with External Attack Surface Management to identify and inventory CUPS in your organizationβs instances that have vulnerable versions of CUPS.
Qualys CSAM makes it easy to identify assets containing CUPS. The following QQL query will identify assets with CUPS installed.
Software Query
software:(name:"cups-filters" or name:"cups-browsed" or name:"libcupsfilters" or name:"libppd")
The QQL below will help identify assets that have port 631 open, which is typically used by CUPS Internet Printing Protocol (IPP).
Use this QQL statement:
openPorts:(port:631)
With the Qualys Unified Dashboard, you can track the exposure within your organization and view your impacted hosts, their status, distribution across environments, and overall management in real time, allowing you to see your mean time to remediation (MTTR).
These issues pose significant risks for systems exposed directly to the internet or within a local network, potentially allowing attackers to gain full control over affected machines. The cups-browsed service is widely installed on Unix-like operating systems. Proactive measures are essential to mitigate risks associated with unauthenticated RCE vulnerabilities. By staying informed, assessing risks, implementing interim security controls, and preparing for rapid patch deployment, organizations can significantly reduce their exposure to potential attacks.
How can I identify assets with CUPS?
Qualys customers can inventory their infrastructure using the QID 38199: CUPS service Detected.
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
28.0%