Exploit
CVE-2024-47176

Binding to an Unrestricted IP Address (CWE-1327)

Published: Sep 26, 2024 / Updated: 54d ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in OpenPrinting CUPS, specifically in the cups-browsed component. This component, responsible for discovering printers on a network and adding them to the system, binds to all interfaces on UDP port 631 and accepts custom packets from any untrusted source. The vulnerability can be exploited from outside the local area network if the computer is exposed to the public internet. When a printer is discovered, either through a UDP packet or mDNS, its IPP or IPPS URL is automatically contacted by cups-browsed, and a Get-Printer-Attributes request is sent. This can potentially leak sensitive system information to an attacker via the User-Agent header.

Impact

The impact of this vulnerability is severe. An attacker can potentially execute arbitrary commands on the target system remotely without authentication. This could lead to complete system compromise, including: 1. Unauthorized access to sensitive data 2. Installation of malware or backdoors 3. Use of the compromised system as a launching point for further attacks 4. Disruption of printing services and other system operations The vulnerability is particularly concerning because it can be exploited from the public internet, potentially exposing a large number of systems to remote attacks if their CUPS services are enabled and exposed. The CVSS v3 base score for this vulnerability is 8.3, indicating a high severity level with a network attack vector, high attack complexity, and no required privileges but required user interaction.

Exploitation

One proof-of-concept exploit is available on github.com. Its exploitation has been reported by various sources, including reddit.com.

Patch

A patch has been added on 2024-09-27, as indicated by the patchDetails in the vulnerability data. The security team should check the provided URL (https://bugzilla.redhat.com/show_bug.cgi?id=2314252) for the latest information on the patch and its availability for their specific systems.

Mitigation

While waiting for an official patch to be fully implemented, the following mitigation steps are recommended: 1. Disable or limit access to the cups-browsed service if it's not critically needed. 2. If the service must remain active, use firewall rules to restrict access to port 631 only from trusted networks or hosts. 3. Implement network segmentation to isolate printing services from critical systems and the public internet. 4. Regularly monitor system logs for any suspicious activities related to CUPS or printing services. 5. Keep the CUPS software and all related components up to date with the latest stable versions. 6. Consider using application whitelisting to prevent unauthorized command execution. 7. Implement strong authentication mechanisms for accessing printing services, even though this vulnerability bypasses authentication. Given the high severity of this vulnerability (CVSS score 8.3) and its potential for remote exploitation without authentication, patching should be prioritized as soon as an official patch becomes available. In the meantime, implement the above mitigation strategies to reduce the risk of exploitation.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380563)

Sep 26, 2024 at 7:53 AM
First Article

Feedly found the first article mentioning CVE-2024-47176. See article

Sep 26, 2024 at 8:33 PM / Cybersecurity
Threat Intelligence Report

CVE-2024-47176 is a critical vulnerability in cups-browsed (up to version 2.0.1) that allows attackers to exploit improperly validated URLs received during printer discovery, potentially leading to arbitrary URL requests. A proof-of-concept exploit is available, and while there is no patch currently, mitigations include disabling cups-browserd and stopping UDP traffic on port 631. The vulnerability poses risks primarily to systems using CUPS for printing, particularly if they are exposed to local network attacks. See article

Sep 26, 2024 at 8:36 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 26, 2024 at 8:57 PM
Exploitation in the Wild

Attacks in the wild have been reported by Managed Service Providers. See article

Sep 26, 2024 at 9:56 PM / Managed Service Providers
CVE Assignment

NVD published the first details for CVE-2024-47176

Sep 26, 2024 at 10:15 PM
CVSS

A CVSS base score of 8.3 has been assigned.

Sep 26, 2024 at 10:20 PM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (244433)

Sep 27, 2024 at 7:53 AM
Vendor Advisory

RedHat released a security advisory (RHSA-2024:7346).

Sep 27, 2024 at 8:00 AM
Static CVE Timeline Graph

Affected Systems

Linux
+null more

Exploits

https://github.com/mr-r3b00t/CVE-2024-47176
+null more

Patches

bugzilla.redhat.com
+null more

Links to Mitre Att&cks

T1574.010: Services File Permissions Weakness
+null more

Attack Patterns

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
+null more

Vendor Advisory

Oracle Linux Bulletin - October 2024
Oracle Id: linuxbulletinoct2024 Release Date: 2024-10-15 Update Date: 2024-10-15 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin. Oracle Linux Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle Linux Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next scheduled bulletin publication date. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle Linux Bulletin security patches as soon as possible. Oracle Linux Risk Matrix (Revision: 1 Published on 2024-10-15) CVE-2024-3596 CVSS Base Score :9.0 CVSS Vector :CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Product :

References

Amazon Linux 2023 : cups-filters, cups-filters-devel, cups-filters-libs (ALAS2023-2024-723)
CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers.
CVE-2024-47176 Vulnerability Scanner (Cups-Browsed)
For example, a UDP packet containing the following: would trigger cups-browsed to issue a HTTP request to . Typically, an attacker would begin the exploitation process by sending a specially crafted request to cups-browsed on UDP port 631, causing it to reach out to a malicious URL under their control.
Comprendre la vulnérabilité de CUPS : Ce qu'il faut savoir
Remote Targets: These are hosts that expose a vulnerable CUPS version (<= 2.0.1) to the public internet while running the affected cups-browsed service. In simplified terms, CVE-2024-47176 lets attackers exploit the CUPS printing service by sending a specially crafted, unauthenticated packet to its UDP port.
See 64 more references

News

How our new engine framework helped address the critical CUPS vulnerability within the day
Within the day, customers could test whether they were vulnerable thanks to the rollout of a new scanning engine framework that reinvents how Detectify operates under the hood, allowing for a faster and more efficient response to security threats. As soon as the CUPS flaw was detected, Detectify entered war-room mode to build a test for the vulnerability and ensure that customers were kept safe against such a critical threat.
Squid, Binutils, Evolution, and more updates for Oracle Linux
Oracle Linux has issued many security upgrades, including squid, binutils, evolution, webkit2gtk3,.NET 6.0, and cups-filters. They also solve vulnerabilities with the cups-filters and giflib security features in Oracle Linux 7.
Multiple vulnerabilities in IBM Event Endpoint Management
Vendor IBM Corporation A remote unauthenticated attacker can use a specially crafted PPD file and execute arbitrary commands on the target system.
Multiple vulnerabilities in IBM Event Streams
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet. The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
Oracle Linux 7 : cups-filters (ELSA-2024-7553)
The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-7553 advisory. The remote Oracle Linux host is missing one or more security updates.
See 462 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI