FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2024-47076

Improper Input Validation (CWE-20)

Published: Sep 26, 2024 / Updated: 54d ago

010
CVSS 8.6EPSS 0.04%High
CVE info copied to clipboard

Summary

A vulnerability has been discovered in the `cfGetPrinterAttributes5` function of `libcupsfilters`, which is part of CUPS (Common Unix Printing System). This function fails to properly sanitize IPP (Internet Printing Protocol) attributes returned from an IPP server. When these unsanitized attributes are used, for example in generating a PPD (PostScript Printer Description) file, it can lead to attacker-controlled data being introduced into the CUPS system. The vulnerability is classified as an Improper Input Validation (CWE-20) issue.

Impact

This vulnerability could allow an attacker to inject malicious data into the CUPS system through manipulated IPP attributes. The potential impacts include: 1. High integrity impact: An attacker could modify data within the system, potentially altering print jobs or system configurations. 2. Network-based attacks: With a network attack vector, this vulnerability could potentially be exploited remotely. 3. No user interaction required: The vulnerability can be exploited without any user interaction, increasing its severity. 4. No privileges required: An attacker doesn't need any prior privileges to exploit this vulnerability. The vulnerability has a CVSS v3 base score of 8.6, which is considered HIGH severity. This high score indicates that the security team should prioritize addressing this vulnerability in their patching efforts.

Exploitation

One proof-of-concept exploit is available on github.com. Its exploitation has been reported by various sources, including reddit.com.

Patch

A patch is available. Patch details were added on 2024-09-27, with a link to a Red Hat Bugzilla entry (https://bugzilla.redhat.com/show_bug.cgi?id=2314253). Additionally, Oracle released a patch on 2024-10-15 (https://www.oracle.com/security-alerts/linuxbulletinoct2024.html). The security team should investigate these entries for specific patch information and apply it as soon as possible, following their standard testing and deployment procedures.

Mitigation

Until the patch can be applied, consider the following mitigation strategies: 1. Network segmentation: Limit network access to IPP servers and CUPS systems to trusted networks only. 2. Input validation: If possible, implement additional input validation and sanitization for IPP attributes before they are processed by CUPS. 3. Monitoring: Enhance monitoring for unusual activities related to printing systems and IPP traffic. 4. Least privilege: Ensure that CUPS and related services run with minimal necessary privileges. 5. Keep systems updated: Regularly update CUPS and related components to the latest available versions. 6. Vulnerability scanning: Utilize vulnerability scanners like Qualys and Nessus, which have detection capabilities for this CVE, to identify affected systems in your environment. Given the high severity of this vulnerability, the security team should prioritize applying the available patch after proper testing. If immediate patching is not possible, implement these mitigations to reduce the risk of exploitation.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380563)

Sep 26, 2024 at 7:53 AM
First Article

Feedly found the first article mentioning CVE-2024-47076. See article

Sep 26, 2024 at 8:33 PM / Cybersecurity
Threat Intelligence Report

CVE-2024-47076 is a critical vulnerability in libcupsfilters (up to version 2.1b1) that allows attackers to provide malicious data, which can be passed to other CUPS components, potentially leading to arbitrary command execution. A proof-of-concept exploit is available, and while there are no patches currently, it is recommended to disable and remove cups-browserd and update CUPS as updates become available. The vulnerability poses risks primarily to systems using CUPS for printing, especially if they are exposed to untrusted networks. See article

Sep 26, 2024 at 8:36 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 26, 2024 at 9:24 PM
CVE Assignment

NVD published the first details for CVE-2024-47076

Sep 26, 2024 at 10:15 PM
CVSS

A CVSS base score of 8.6 has been assigned.

Sep 26, 2024 at 10:20 PM / nvd
Exploitation in the Wild

Attacks in the wild have been reported by Top posts on r/msp. See article

Sep 27, 2024 at 3:18 AM / Top posts on r/msp
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (244433)

Sep 27, 2024 at 7:53 AM
Vendor Advisory

RedHat released a security advisory (RHSA-2024:7346).

Sep 27, 2024 at 8:00 AM
Static CVE Timeline Graph

Affected Systems

Ubuntu
+null more

Exploits

https://github.com/lkarlslund/jugular
+null more

Patches

bugzilla.redhat.com
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

Vendor Advisory

Oracle Linux Bulletin - October 2024
Oracle Linux Bulletins / 35d
Oracle Id: linuxbulletinoct2024 Release Date: 2024-10-15 Update Date: 2024-10-15 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin. Oracle Linux Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle Linux Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next scheduled bulletin publication date. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle Linux Bulletin security patches as soon as possible. Oracle Linux Risk Matrix (Revision: 1 Published on 2024-10-15) CVE-2024-3596 CVSS Base Score :9.0 CVSS Vector :CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Product :

References

Amazon Linux 2023 : cups-filters, cups-filters-devel, cups-filters-libs (ALAS2023-2024-723)
Newest Nessus Plugins from Tenable / 36d
CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers.
CVE-2024-47076
Security Bug Tracker / 48d
Name CVE-2024-47076 Description CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. The `cfGetPrinterAttributes5` function in `libcupsfilters` does not sanitize IPP attributes returned from an IPP server. When these IPP attributes are used, for instance, to generate a PPD file, this can lead to attacker controlled data to be provided to the rest of the CUPS system. Source CVE (at NVD ; CERT , LWN , oss-sec , fulldisc , Red Hat , Ubuntu , Gentoo , SUSE bugzilla / CVE , GitHub advisories / code / issues , web search , more ) References DLA-3905-1 , DSA-5778-1 Debian Bugs 1082821 , 1082827 Vulnerable and fixed packages The table below lists information on source packages. Source Package Release Version Status cups-filters ( PTS ) bullseye 1.28.7-1+deb11u2 vulnerable bullseye (security) 1.28.7-1+deb11u3 fixed bookworm 1.28.17-3 vulnerable bookworm (security) 1.28.17-3+deb12u1 fixed trixie 1.28.17-4.1 vulnerable sid 1.28.17-5 fixed libcupsfilters ( PTS ) sid, trixie 2.0.0-3 fixed The information below is based on the following data on fixed versions. Notes https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5 https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/ Fixed by: https://github.com/OpenPrinting/libcupsfilters/commit/95576ec3d20c109332d14672a807353cdc551018
CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Everything you need to know
Wiz Blog | RSS feed / 51d
These vulnerabilities are unlikely to be exploited in most cloud environments due to their requirements for exposing UDP port 631 and needing the victim to attempt a print request as part of the currently disclosed exploitation method. While no successful exploitation has been reported in the wild as of today, September 29, 2024, Wiz Threat Research has observed the following IPs attempting UDP communication through port 631, most likely scanning this port for malicious purposes or as part of security research -
See 62 more references

News

[no-title]
Palo Alto Networks Security Advisories / 1d
Prisma Cloud Compute Cortex XDR Agent 8.6
How our new engine framework helped address the critical CUPS vulnerability within the day
Blog Detectify / 1d
Within the day, customers could test whether they were vulnerable thanks to the rollout of a new scanning engine framework that reinvents how Detectify operates under the hood, allowing for a faster and more efficient response to security threats. As soon as the CUPS flaw was detected, Detectify entered war-room mode to build a test for the vulnerability and ensure that customers were kept safe against such a critical threat.
Squid, Binutils, Evolution, and more updates for Oracle Linux
Linux Compatible / 1d
Oracle Linux has issued many security upgrades, including squid, binutils, evolution, webkit2gtk3,.NET 6.0, and cups-filters. They also solve vulnerabilities with the cups-filters and giflib security features in Oracle Linux 7.
Multiple vulnerabilities in IBM Event Endpoint Management
Security feed from CyberSecurity Help / 4d
Vendor IBM Corporation A remote unauthenticated attacker can use a specially crafted PPD file and execute arbitrary commands on the target system.
Multiple vulnerabilities in IBM Event Streams
Security feed from CyberSecurity Help / 4d
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet. The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
See 370 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Changed
Confidentiality:None
Integrity:High
Availability Impact:None

Categories

CVSS 8.6(18246)CWE-20(11385)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial