Description: CUPS is a standards-based, open-source printing system, and cups-filters provides backends, filters, and other software for CUPS 2.x to use on non-Mac OS systems. Any value passed to `FoomaticRIPCommandLine` via a PPD file will be executed as a user controlled command. When combined with other logic bugs as described in CVE_2024-47176, this can lead to remote command execution.
CVE-2024-47177
Published Date: 2024-09-26T22:15:04.740
Last Modified: 2024-09-26T22:15:04.740
CVSS Score: 9 (CRITICAL)
EPSS Score: 0.04%
Risk Score: 6.3 (HIGH)
Risk Score based on CVSS score and EPSS. This score is for reference purposes and is not internationally recognized.
CVSS:
9 |
EPSS:
0.04%
Mitre ATT&CK Technical v15.1
T1153 – Source
T1592.002 – Software
T1053.002 – At
Technical Analysis & Mitigation Measures
1. Technical Attack Analysis:
– T1153 – Source : This technique indicates that the attacker can leverage a trusted source to execute malicious commands. By exploiting the vulnerability in the CUPS system, the attacker can craft a PPD file that includes a malicious command in `FoomaticRIPCommandLine`, effectively allowing unauthorized command execution on the target system.
– T1592.002 – Software : This technique denotes the use of software vulnerabilities to execute malicious code. In this scenario, the vulnerability within CUPS and cups-filters allows attackers to manipulate the printing process and execute arbitrary commands, leading to potential compromise of the system’s integrity or disclosure of sensitive information.
– T1053.002 – Scheduled Task/Job : This technique implies that the attacker might schedule malicious tasks or jobs using the compromised functionality of the CUPS system. An attacker could exploit the command execution vulnerability to set up persistent backdoors or automated tasks that maintain access to the system, enabling further exploitation or data exfiltration.
Possible Outcomes of Exploitation:
– Unauthorized remote command execution on the affected system.
– Potential escalation of privileges, leading to administrative control over the system.
– Installation of persistent backdoors or malware using scheduled tasks.
– Data exfiltration or manipulation of sensitive information.
– Compromise of network integrity by pivoting to other systems within the network.
2. Mitigation Measures:
– Apply patches and updates to CUPS and cups-filters immediately.
– Restrict access to the CUPS service to trusted users and network segments only.
– Disable or limit the use of PPD files from untrusted sources.
– Implement strict input validation on command parameters within CUPS configurations.
– Use application layer firewalls to monitor and filter printing commands.
– Regularly audit and review CUPS configurations for unusual entries or behaviors.
– Employ endpoint detection and response (EDR) solutions to monitor for suspicious activities.
The content above is generated by AI. Please review and consider carefully before applying!
Reference Links
https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47
https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5
https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6
https://www.cups.org
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I
Vendor - Produce - Version
None
Disclaimer
The content on this website is automatically sourced from external websites such as the National Vulnerability Database (NVD), GitHub, and other security-related sources. This content is for reference purposes only, and we are not responsible for the accuracy or integrity of the information linked or displayed from these sources.