CVE-2024-47175

Improper Input Validation (CWE-20)

Published: Sep 26, 2024 / Updated: 54d ago

010
CVSS 8.6EPSS 0.04%High
CVE info copied to clipboard

Summary

A security issue was found in OpenPrinting CUPS. The function ppdCreatePPDFromIPP2 in the libppd library, responsible for generating PostScript Printer Description (PPD) files from Internet Printing Protocol (IPP) responses, doesn't properly check or clean IPP attributes before writing them to a temporary PPD file. This vulnerability could allow a remote attacker, who has control of or has hijacked an exposed printer (through UPD or mDNS), to send a harmful IPP attribute and potentially insert malicious commands into the PPD file.

Impact

This vulnerability has a high severity with a CVSS v3.1 base score of 8.6. It allows for remote exploitation without requiring user interaction or privileges. The primary impact is on integrity, rated as HIGH, with no impact on confidentiality or availability. The vulnerability can potentially lead to remote code execution (RCE) when combined with other vulnerabilities. Given its network attack vector and low attack complexity, this vulnerability poses a significant risk to affected systems, particularly those with exposed printers or print servers.

Exploitation

There is no evidence that a public proof-of-concept exists. Its exploitation has been reported by various sources, including attackerkb.com.

Patch

A patch has been added on 2024-09-27, as indicated by the patchDetails in the vulnerability data. The security team should check the provided URL (https://bugzilla.redhat.com/show_bug.cgi?id=2314256) for more information about the patch and its availability.

Mitigation

While waiting for an official patch or if unable to immediately apply the available patch, consider the following mitigation strategies: 1. Limit network access to CUPS servers to trusted networks and users only. 2. Monitor and audit any unusual activities related to CUPS and printing services. 3. Implement strong input validation for any data passed to CUPS, especially in network-facing components. 4. Consider disabling or restricting the use of Foomatic if not essential for operations. 5. Keep CUPS and related components up to date with the latest stable versions. 6. Implement network segmentation to isolate printing services from critical systems. 7. Regularly review and update printer configurations to ensure they adhere to security best practices. 8. If possible, disable or limit the use of UPD or mDNS for printer discovery to reduce the attack surface.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380563)

Sep 26, 2024 at 7:53 AM
First Article

Feedly found the first article mentioning CVE-2024-47175. See article

Sep 26, 2024 at 8:33 PM / Cybersecurity
Threat Intelligence Report

CVE-2024-47175 is a critical vulnerability in libppd versions up to 2.1b1, where the library fails to validate or sanitize IPP attributes when writing to a temporary PPD file, allowing for the injection of attacker-controlled data. The details provided do not specify a CVSS score, exploitation in the wild, proof-of-concept exploits, mitigations, detections, patches, or downstream impacts on third-party vendors. Further investigation is needed to assess the full scope and implications of this vulnerability. See article

Sep 26, 2024 at 8:40 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 26, 2024 at 9:24 PM
CVE Assignment

NVD published the first details for CVE-2024-47175

Sep 26, 2024 at 10:15 PM
CVSS

A CVSS base score of 8.6 has been assigned.

Sep 26, 2024 at 10:20 PM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (514131)

Sep 27, 2024 at 3:15 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (514130)

Sep 27, 2024 at 3:15 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (244433)

Sep 27, 2024 at 7:53 AM
Static CVE Timeline Graph

Affected Systems

Openprinting/CUPS
+null more

Patches

bugzilla.redhat.com
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

Vendor Advisory

Oracle Linux Bulletin - October 2024
Oracle Id: linuxbulletinoct2024 Release Date: 2024-10-15 Update Date: 2024-10-15 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin. Oracle Linux Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle Linux Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next scheduled bulletin publication date. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle Linux Bulletin security patches as soon as possible. Oracle Linux Risk Matrix (Revision: 1 Published on 2024-10-15) CVE-2024-3596 CVSS Base Score :9.0 CVSS Vector :CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Product :

References

OOTB Rules and Security Content Updates (October 2024)
Suricata Suricata baseline deviation from expected IP requests New Detect an unusually high number of unique IP addresses connecting to a server, which could indicate a Distributed Denial-of-Service (DDoS) attack, a scanning attempt, or other forms of malicious activities. OSSEC OSSEC Alert: Multiple authentication failures New Detect when multiple failed authentication attempts are detected by OSSEC.
OOTB Rules and Security Content Updates (October 2024)
Suricata Suricata baseline deviation from expected IP requests New Detect an unusually high number of unique IP addresses connecting to a server, which could indicate a Distributed Denial-of-Service (DDoS) attack, a scanning attempt, or other forms of malicious activities. OSSEC OSSEC Alert: Multiple authentication failures New Detect when multiple failed authentication attempts are detected by OSSEC.
CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Everything you need to know
These vulnerabilities are unlikely to be exploited in most cloud environments due to their requirements for exposing UDP port 631 and needing the victim to attempt a print request as part of the currently disclosed exploitation method. While no successful exploitation has been reported in the wild as of today, September 29, 2024, Wiz Threat Research has observed the following IPs attempting UDP communication through port 631, most likely scanning this port for malicious purposes or as part of security research -
See 59 more references

News

Multiple vulnerabilities in OpenShift API for Data Protection (OADP) 1.3
A remote attacker on the local network can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system. A remote attacker on the local network can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
RHSA-2024:9960: Important: OpenShift API for Data Protection (OADP) 1.3.4 security and bug fix update
OpenShift API for Data Protection (OADP) 1.3.4 is now available.Red Hat Product Security has rated this update as having a security impact of Important. OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage.
[ALSA-2024:9470] Low: cups security update
AlmaLinux Security Advisory: ALSA-2024:9470 Release Date: 2024-11-12 Update Date: 2024-11-18 Severity: Low Advisory Type: Security CVE : CVE-2024-47175 Description The Common UNIX Printing System (CUPS) provides a portable printing layer for Linux, UNIX, and similar operating systems. Security Fix(es): * cups: libppd:
How our new engine framework helped address the critical CUPS vulnerability within the day
Within the day, customers could test whether they were vulnerable thanks to the rollout of a new scanning engine framework that reinvents how Detectify operates under the hood, allowing for a faster and more efficient response to security threats. As soon as the CUPS flaw was detected, Detectify entered war-room mode to build a test for the vulnerability and ensure that customers were kept safe against such a critical threat.
Squid, Binutils, Evolution, and more updates for Oracle Linux
Oracle Linux has issued many security upgrades, including squid, binutils, evolution, webkit2gtk3,.NET 6.0, and cups-filters. They also solve vulnerabilities with the cups-filters and giflib security features in Oracle Linux 7.
See 363 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Changed
Confidentiality:None
Integrity:High
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI