Overview
CUPS (Common Unix Printing System) is a widely used printing system for Unix-like operating systems. It allows users to share printers over a network and provides a web-based interface for managing print jobs and configurations. Several vulnerabilities were discovered in September 2024 by Simone Margaritelli:
- CVE-2024-47176: cups-browsed binds on UDP INADDR_ANY:631, trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL.
- CVE-2024-47076: cfGetPrinterAttributes5 in libcupsfilters does not validate IPP attributes returned from an IPP server.
- CVE-2024-47175: ppdCreatePPDFromIPP2 in libppd does not validate or sanitize the IPP attributes when writing them to the PPD buffer.
- CVE-2024-47177: Command injection via FoomaticRIPCommandLine PPD parameter.
This document demonstrates how Argus can detect and help mitigate these vulnerabilities.
Requirements
- Argus Central Components: An existing deployment of Argus server, indexer, and dashboard.
- Argus Agent: Installed on Linux endpoints.
Scanning for Vulnerable Packages
The Argus Cyber Threat Intelligence (CTI) service delivers real-time intelligence feeds from external sources about known vulnerabilities. This service includes feeds for detecting the CUPS RCE vulnerabilities.
The Argus Vulnerability Detection module identifies vulnerabilities by comparing installed software versions against known vulnerabilities.
Steps to Scan:
- Access the Argus Dashboard: Navigate to the Vulnerability Detection > Inventory page.
- Filter Results: Use the following query to filter for CUPS RCE vulnerabilities: vulnerability.id:(CVE-2024-47175 OR CVE-2024-47176 OR CVE-2024-47076 OR CVE-2024-47177) The results will display any vulnerable Linux endpoints with affected CUPS packages installed.
Example:
Affected package: cups-browsed
Vulnerability ID: CVE-2024-47176
Severity: High
Mitigation - Consult Advisory: Refer to your Linux distribution advisory for mitigation steps.
- Some distributions, like Ubuntu, have already released patches.
- If no patches are available, disable the cups-browsed system service or uninstall vulnerable packages.
- Verify Resolution:
- Perform the steps below on the Argus dashboard to confirm mitigation: rule.id:23502 AND data.vulnerability.package.name:cups-browsed
- Where:
- rule.id:23502 is triggered when a vulnerability is resolved.
- data.vulnerability.package.name:cups-browsed specifies the package name.
- Once resolved, vulnerabilities will disappear from the Vulnerability Detection inventory tab.
Note:
The resolution status of vulnerabilities will show on the Argus dashboard after the Syscollector scan runs. By default, this scan occurs hourly, but you can adjust the frequency if needed.
Detection with Argus
Argus Rule for CUPS Vulnerabilities
Argus detects CUPS vulnerabilities by monitoring installed software versions and checking them against known vulnerability databases. When a vulnerable package is detected, Argus triggers an alert.
Steps to Verify Detection:
- Access the Argus Dashboard:
Navigate to the Discover tab and apply the following query to check for vulnerabilities:
vulnerability.id:(CVE-2024-47175 OR CVE-2024-47176 OR CVE-2024-47076 OR CVE-2024-47177)
- Verify Alerts:
If any vulnerable packages are detected, Argus will generate alerts, providing details about the affected package and the CVE ID.
Verifying Resolution
To ensure that the vulnerability has been resolved, use the following query on the Argus dashboard:
rule.id:23502 AND data.vulnerability.package.name:cups-browsed
This query confirms whether the vulnerable package has been patched or removed. The vulnerability will disappear from the inventory once resolved.