Detecting and Mitigating Remote Code Execution Exploits in CUPS
On September 26th, 2024, details were released about several vulnerabilities in the Common Unix Printing System (CUPS) package. A total of four CVE’s (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177) have been released, affecting many Unix and Linux distributions. Three of the vulnerabilities are rated High, while one is rated Critical. If left unpatched, a remote attacker is able to execute arbitrary commands on the affected system.
Below we analyze the potential impact of the four used together, how to detect them with Falco, and mitigation steps you can take.
Analysis
The process being exploited here is “cups-browsed”, which is used for printer discovery and accessibility. By default, it is listed on UDP port 631 and is open to the world. No authentication is required to interact with this service remotely. According to the researcher, a couple hundred thousand systems had this port open to the internet and the “cups-browsed” daemon responded.
The four vulnerabilities involved are used together to achieve remote code exploitation in vulnerable CUPS installs.
- CVE-2024-47176 is in reference to “cups-browsed” having port 631 being open and allowing unauthenticated access.
- CVE-2024-47076 allows the exploit to pass data without any validation or sanitization.
- CVE-2024-47175 allows the exploit to continue further as it is another validation and sanitization issue.
- CVE-2024-47177 allows the execution of the data which has been passed using the previous vulnerabilities using the “foomatic-rip” process.
In practice, this exploit only requires an attacker to send a UDP packet with a URL to a system which the attacker controls. From there, the attacker has a listener waiting and can start the exploit chain once a vulnerable system connects. Finally, they can execute arbitrary commands as the “foomatic-rip” process and continue with their post-exploitation goals.
Detection
This exploit can be detected by looking for the “foomatic-rip” process executing commands, as this isn’t normal behavior. Alternatively, if CUPS should not be running in your environment, looking for any process listening on UDP port 631 is an option. Sysdig Secure detects an extensive amount of post-exploitation activities out-of-the box but these rules will provide additional visibility.
Falco can also be used to detect this exploit with the following rules:
The following rule is available automatically to Sysdig Secure customers in the Sysdig Runtime Threat Detection policy.
- rule: Possible Arbitrary Command Execution through CUPS (CVE-2024-47177)
desc: The footmatic-rip process was seen executing common shell programs which may indicate that an attacker has exploited CVE-2024-47177. Ensure that this is expected behavior and CUPS has been patched for this vulnerability.
condition: spawned_process and shell_procs and proc.pname="foomatic-rip"
exceptions:
- name: proc_name_pname
fields: [proc.name, proc.pname]
comps: [in, in]
output: The process %proc.pname was seen executing the shell %proc.name with cmdline %proc.cmdline which may indicate arbitrary command execution through the CUPS vulnerability CVE-2024-47177. (proc.exepath=%proc.exepath proc.cmdline=%proc.cmdline user.name=%user.name image=%container.image.repository:%container.image.tag proc.pcmdline=%proc.pcmdline container.id=%container.id container.name=%container.name)
priority: CRITICAL
tags: [host, container, MITRE]Code language: JavaScript (javascript)The following rule is available automatically to Sysdig Secure customers in the Sysdig Runtime Notable Events policy.
- rule: Suspicious cups-browsed process listening on UDP (CVE-2024-47176)
desc: The cups-browsed process was seen listening for incoming connections on port 631. This may indicate that it is vulnerable to CVE-2024-47176. Ensure that this is expected behavior and the process has been patched.
condition: evt.type=bind and evt.dir=< and fd.l4proto=udp and fd.port=631 and proc.name="cups-browsed"
exceptions:
- name: proc_name_proc_pname
fields: [proc.name, proc.pname]
comps: [in, in]
output: Process %proc.name is listening on port %fd.cport using the %fd.l4proto protocol which may indicate it is vulnerable to CVE-2024-47176. (proc.name=%proc.name proc.pname=%proc.pname fd.name=%fd.name proc.cmdline=%proc.cmdline proc.pcmdline=%proc.pcmdline container.id=%container.id evt.type=%evt.type evt.res=%evt.res proc.pid=%proc.pid proc.exepath=%proc.exepath container.name=%container.name image=%container.image.repository)
priority: INFO
tags: [host, container, MITRE]Code language: HTML, XML (xml)Mitigation
The vulnerability management process should be engaged immediately to ensure CUPS isn’t running in the environment. Vendors, such as Ubuntu and RedHat, have already released patches for their distributions.
For more tactical mitigations, services can be shut down and firewall rules can be used to prevent access to the vulnerable services. Latio Tech has a number of suggestions for how to implement these mitigations.
If you are a Sysdig Secure customer, the platform offers several options for how to respond if one of the above rules is triggered. “Kill Process” can be used to terminate the shell that the attacker launches. Or for a more complete response in a containerized environment, “Kill Container” can be used to eliminate the entire workload. For deep forensic review, a syscall capture can be taken automatically.
Conclusion
While CUPS isn’t likely to be used within a cloud environment, it does come enabled from certain vendors and may be active without the team’s knowledge. Having a robust vulnerability management system that includes an inventory will enable visibility to discover these vulnerable software packages. In order to protect your systems while rolling out patches, real-time threat detection and response will enable you to react to any incidents and automatically respond to them.