Guidance for handling CUPS remote code execution vulnerability using Microsoft Security capabilities
A new critical Remote code execution (RCE) vulnerability affecting CUPS (Common Unix Printing System) has been identified published last week, putting at risk organizations with Unix (Linux, Gnu and other systems). In this blogpost we will demonstrate how you can easily discover if your organization is vulnerable to the new critical unauthenticated RCE flaws in CUPS printing systems and view guidelines on remediation.
Affected versions:
CVE-2024-47176: cups-browsed binds on UDP port 631, accepting packets from any source. (cups-browsed ≤ 2.0.1)
CVE-2024-47076: libcupsfilters does not validate IPP attributes, allowing attacker-controlled data (libcupsfilters ≤ 2.1b1)
CVE-2024-47175: libppd does not sanitize IPP attributes, enabling data injection. (libppd ≤ 2.1b1)
CVE-2024-47177: foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter. (cups-filters ≤ 2.0.)*
* Coverage for this vulnerability is expected shortly.
Impact
A remote attacker can replace or install printers with malicious IPP URLs, leading to arbitrary command execution when a print job is started.
We will demonstrate how organizations can harness the capabilities of Attack Path analysis together with Microsoft Defender suite of products to pinpoint and neutralize threats arising from such events. Our examination will center on: mapping vulnerabilities, evaluating affected assets, gauging potential impact via blast radius analysis, and implementing efficacious mitigations.
Recommendations for Mitigation and Best Practices
Mitigating risks associated with vulnerabilities requires a combination of proactive measures and real-time defenses. Here are some recommendations:
Update the CUPS package.
Disable and remove the cups-browsed service if not needed.
Block traffic to UDP port 631 and DNS-SD traffic if not necessary.
Mapping the CUPS vulnerability in Your Organization:
The first step in managing an incident is to map affected software within your organization’s assets. Defender Vulnerability Management solution provides a comprehensive vulnerability assessment across all your devices.
You can also use the following KQL query or this link, this query searches software vulnerabilities related to the specified CVEs and summarizes them by device name, OS version and device ID:
DeviceTvmSoftwareVulnerabilities
| where CveId has_any (“CVE-2024-47176”, “CVE-2024-47076”, “CVE-2024-47175”)
| summarize by DeviceName, DeviceId, OS=strcat(OSPlatform, “-“, OSVersion), SoftwareName, SoftwareVersion
Using Cloud Security Explorer
You can use the Cloud Security Explorer feature within Defender for Cloud to perform queries related to your posture across Azure, AWS, GCP, and code repositories. This allows you to investigate the specific CVE, identify affected machines, and understand the associated risks.
We have created specific queries for this CVE that help you to easily get an initial assessment of the threat this vulnerability creates for your organization, with choices for customization:
Virtual machines vulnerable to OpenPrinting CUPS
Container images with OpenPrinting CUPS critical vulnerabilities
Understanding potential impact with Microsoft Security Exposure Management
Attack paths:
Automated attack path analysis maps out potential attacks starting from exposed resources and tracing the possible routes an attacker might take to compromise critical assets. The analysis identifies exposed cloud compute resources, such virtual machines and Kubernetes containers, that are vulnerable to remote code execution vulnerabilities and the possible lateral movement steps the adversary might take in the environment. The attack paths are presented for all the supported cloud environments (Azure, AWS and GCP). To present the paths filter the view by the following example titles:
Internet exposed Azure VM with RCE vulnerabilities
Internet exposed GCP compute instance with RCE vulnerabilities
Internet exposed AWS EC2 instance with RCE vulnerabilities
Attack path analysis is available both in Microsoft Security Exposure Management and Microsoft Defender for Cloud.
Critical assets:
It is also advisable to filter for critical assets (devices that were identified as sensitive by the Critical Asset Protection rule engine) that are affected by the vulnerabilities, using the following query or this link:
ExposureGraphNodes
| where NodeProperties has ‘criticalityLevel’
| where NodeLabel in (‘microsoft.compute/virtualmachines’, ‘compute.instances’, ‘ec2.instance’, ‘device’, ‘container-image’, ‘microsoft.hybridcompute/machines’)
| join kind=inner (ExposureGraphEdges | where SourceNodeName in (‘CVE-2024-47076’, ‘CVE-2024-47175’, ‘CVE-2024-47176’, ‘CVE-2024-47177’))
on $left.NodeId == $right.TargetNodeId
Asset exposure:
Asset Exposure provides a complementary perspective by revealing all the routes leading to vulnerable entities. Using this capability according to the guidelines provided here, enables to identify potential areas of the attack surface that can lead to vulnerable resources. Strengthening the attack surface reduces the risk of internal vulnerable resources being discovered and exploited.
Conclusion
By following these guidelines and utilizing end-to-end integrated Microsoft Security products, organizations can better prepare for, prevent and respond to attacks, ensuring a more secure and resilient environment. While the above process provides a comprehensive approach to protecting your organization, continual monitoring, updating, and adapting to new threats are essential for maintaining robust security.
Microsoft Tech Community – Latest Blogs –Read More