Critical Unauthenticated RCE in CUPS
ConnectWise
A platform of software & services built for TSPs. Follow us for product updates, company news, business advice and more.
On September 26, 2024, after several days of building up hype on a 9.9 CVSS vulnerability that purportedly affects a wide variety of Unix-based systems, researcher Simone Margaritelli (@evilsocket) disclosed details about the remote code execution (RCE) attack. The disclosed exploit involves a chain of four vulnerabilities (CVE-2024-47176, CVE-2024-47076, CVE-2024-47115, CVE-2024-47177) affecting the CUPS service in Unix-based operating systems. Red Hat released information on the vulnerability including mitigation guidance, though they highlight that RHEL is not vulnerable in its default configuration.
The Attack
The attack chain begins with cups_browsed, a CUPS service for discovering new printers. By default, it binds to UDP port 631 and accepts connections on any interface. It is also, by default, not configured to block any connections. If the port is reachable, then an attacker can send an IPP packet to the open port and register a new printer at a remote URL in attacker infrastructure. When this happens attributes of the attacker-controlled remote printer are retrieved from the provided URL and are saved in a temporary file on the system, unsanitized.
One of the attributes allows the specification of a filter, which will be a program on the local system for converting any unsupported formats over to formats that the printer does support. The researcher was able to recognize a particular filter known as foomatic that has been a common target for exploitation since it accepts a command line directive from the printer's attributes that will execute any command specified in that directive. CUPS has not integrated fixes for some of these decade-old vulnerabilities in the foomatic filter because it would break compatibility with many printers that depend on the permissiveness of this filter directive.
After all these pieces are in place, the attack requires a print job to be sent to the rogue printer so that it will be processed through the filter, causing the arbitrary command to be executed.
领英推荐
Mitigations
There is no official patch available at this time to address any of these vulnerabilities. If it is possible in your environment, then cups-browsed can be disabled. Also, much of the network traffic necessary for this to work can be blocked at the firewall on port 631. If cups-browsed and an open port 631 are necessary in your environment, then consider hardening your cups-browsed service by specifying specific connections that are allowed or denied in /etc/cups/cups-browsed.conf. See the man page for this configuration file for specifics on how to configure these settings.
?
?
Next Trend Realty LLC./wwwHar.com/Chester-Swanson/agent_cbswan
2 个月Great advice.
Threat Intelligence Evangelism Director, CW Cyber Research Unit, OSCP, MAD ATT&CK CTI
2 个月The PoC for exploiting this vulnerability chain was leaked earlier today, so the researcher went ahead and officially disclosed information before a patch was released.