Executive Summary

    On September 26th, 2024, an independent researcher disclosed a critical vulnerability in CUPS, a printing software package commonly used in Linux systems. CUPS may be enabled by default on some versions of Linux, meaning a server not intended or used as a printer server may still be vulnerable as a result. Successful exploit of this vulnerability yields remote code execution (RCE) to an attacker, so any externally facing Linux servers vulnerable to this bug present a significant risk to organizations. 

    This vulnerability consists of four bugs (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177) that must be exploited together. Successful exploitation can be done remotely and without access credentials. Enough details were provided with the initial disclosure for quick development of weaponized exploits, and public proof of concept (PoC) examples have already been released. Additionally, patches had not been released at the time of writing. 

    There are mitigating factors that will help reduce the real world impact, the main one being that an exploit requires manual user interaction in the form of tricking a user into printing from a malicious, attacker-controlled, fake printer. There is still risk, and we expect financially motivated threat actors to deploy custom weaponized versions of this exploit immediately. Affected organizations should apply recommended mitigation steps as soon as possible. 

    Affected Systems or Products

    The following CUPS software components and corresponding versions are vulnerable: 

    • cups-browsed <= 2.0.1 

    • libcupsfilters <= 2.1b1 

    • libppd <= 2.1b1 

    • cups-filters <= 2.0.1 

    Mitigations / Workarounds

    Most Internet facing Linux hosts should not need to have CUPS available publicly, so it should simply be disabled: 

    sudo systemctl stop cups-browsed 
    sudo systemctl disable cups-browsed 

     Organizations can additionally block UDP traffic to port 631, the default port for CUPS. 

    Patches

    Patches were not available at time of writing but are reported to be in development. This document will be updated when vendor patches are released. 

    Technical Details

    As previously mentioned, the issue is four separate vulnerabilities that need to be exploited together to achieve RCE on a victim host. The attack chain is as follows: 

    1. 1.

      An attacker sends a specially crafted packet to a vulnerable server 

    2. 2.

      The packet causes the target to connect to a fake, attacker controlled printer 

    3. 3.

      The fake printer sends back a malicious configuration file 

    4. 4.

      A victim user is tricked into starting a printing job on the target server 

    5. 5.

      The malicious configuration file executes arbitrary code 

    CUP CVE

    How Beazley Security is responding

    Beazley Security is monitoring client perimeter devices discovered by our Attack Surface Management Solution, Karma, to identify potentially impacted devices and support organizations in remediation of any issues found.