CUPS (Common Unix Printing System) is a widely used printing system for Unix-like operating systems. It allows users to share printers over a network and provides a web-based interface for managing print jobs and configurations. However, in September 2024, several vulnerabilities were discovered in CUPS by Simone Margaritelli that could grant an attacker remote code execution (RCE) capability.

The vulnerabilities are:

  • CVE-2024-47176 (cups-browsed <= 2.0.1): cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL.
  • CVE-2024-47076 (libcupsfilters <= 2.1b1): cfGetPrinterAttributes5 does not validate IPP attributes returned from an IPP server.
  • CVE-2024-47175 (libppd <= 2.1b1): ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to the PPD buffer.
  • CVE-2024-47177 (cups-filters <= 2.0.1): Command injection via FoomaticRIPCommandLine PPD parameter.

Fortunately, the CUPS service is not installed or enabled by default on most Linux endpoints. Regardless, it is important to check that this vulnerability does not exist on them.

Scan for vulnerable packages with Wazuh

The Wazuh Cyber Threat Intelligence (CTI) service delivers real-time intelligence feeds from external sources about known vulnerabilities. This service already includes vulnerability feeds for detecting the CUPS RCE vulnerabilities: CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177.

The Wazuh Vulnerability Detection module enables the identification of vulnerabilities in software and operating systems. It does this by comparing installed software versions against known vulnerabilities sourced from the Wazuh CTI service.

Requirements

You need to fulfill the following requirements to scan endpoints for vulnerabilities:

Vulnerability scan results

Wazuh dashboard

Navigate to the Vulnerability Detection > Inventory page of the Wazuh dashboard to view all vulnerabilities. Apply the following query in the search bar to filter for the CUPS RCE vulnerabilities: vulnerability.id:(CVE-2024-47175 OR CVE-2024-47176 OR CVE-2024-47076 OR CVE-2024-47177).

The results below are from a vulnerable Linux endpoint that has cups and other related vulnerable packages installed.

CUPS Linux endpoint
CUPS Vulnerability Detection

Mitigation

Consult your Linux distribution advisory for the most effective mitigation strategy. 

  • Some distributions like Ubuntu have already released patches to fix the vulnerabilities. 
  • Others recommend that you disable the cups-browsed system service although the Wazuh Vulnerability Detection module will still flag the vulnerable package. 
  • An alternative is to uninstall the vulnerable packages if there are no patches.

Wazuh dashboard

Perform the steps below on the Wazuh dashboard to verify that cups and all related vulnerable packages have been removed or patched (updated).

Note: The resolution status of the vulnerability will show up on the Wazuh dashboard after the Syscollector scan runs on your endpoint. By default, this scan happens every hour, but you can adjust the frequency if needed.

Apply the following query to the search bar of the Discover tab to filter for the status of the CUPS vulnerability on endpoints: 

rule.id:23502 AND data.vulnerability.package.name:cups-browsed.

Where:

  • rule.id:23502 is triggered when a vulnerability is resolved on an endpoint. 
  • data.vulnerability.package.name:cups-browsed is the package name which is cups-browsed in this case.
Wazuh dashboard CUPS

Once resolved, the vulnerabilities will disappear from the Vulnerability Detection inventory tab of the Wazuh dashboard.

Conclusion

The discovery of remote code execution vulnerabilities in CUPS underscores the need for a proactive approach to security. With Wazuh, you can detect vulnerable versions of CUPS, mitigate the risks, and confirm that vulnerabilities are patched. Wazuh provides vulnerability detection capabilities and also offers continuous monitoring to keep your systems secure in the long term.

References