A critical set of vulnerabilities in the Common Unix Printing System (CUPS) has been disclosed, allowing remote attackers to execute arbitrary code on target systems without valid credentials or prior access.
The vulnerabilities tracked as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177 affect all GNU/Linux systems and potentially others.
To help organizations identify vulnerable systems, a new vulnerability scanner has been developed specifically for CVE-2024-47176, which targets the cups-browsed daemon.
This scanner is designed to scan local networks for vulnerable cups-browsed instances, providing a crucial tool for IT security teams to assess and mitigate these risks.
Vulnerability Scanner Released For CUPS
CUPS is an open-source framework for managing and controlling printers on UNIX and UNIX-like systems.
The vulnerabilities in question allow a remote attacker to add or re-configure network printers in such a way that they will execute arbitrary code when users try to print from them.
The CVE-2024-47176 vulnerability arises from the fact that cups-browsed binds its control port (UDP port 631) to INADDR_ANY, exposing it to the world and allowing unauthenticated requests.
The scanner works by sending a specially crafted UDP packet to cups-browsed on UDP port 631, causing it to reach out to a malicious URL under the attacker’s control.
However, instead of exploiting the RCE vulnerability, the scanner uses this mechanism to trigger a vulnerable cups-browsed instance to issue a HTTP request (callback) to the scanner’s own server, identifying itself as vulnerable.
The scanner, named cups_scanner.py, handles everything for the user, including setting up a temporary HTTP server and sending UDP packets to the specified IP range. The tool can be downloaded from GitHub.
The HTTP server captures callbacks from vulnerable cups-browsed instances and logs them to disk. The scanner provides user-friendly logs and raw HTTP requests, making identifying and addressing vulnerable systems easy.
To scan a CIDR range, such as 10.0.0.0/24, from an IP address 10.0.0.1, hosting the callback server on port 1337, the following command can be used:
python3 cups_scanner.py --targets 10.0.0.0/24 --callback 10.0.0.1:1337
Multiple CIDRs can also be scanned by separating them with commas:
python3 cups_scanner.py --targets 10.0.0.0/24,10.0.1.0/24 --callback 10.0.0.1:1337
Until patches are available, organizations are advised to disable and remove the cups-browsed service if it’s not necessary and block or restrict traffic to UDP port 631.
Red Hat and other Linux distributions are currently working on patches to address these issues.
The release of this vulnerability scanner provides a critical tool for IT security teams to identify and mitigate these risks, ensuring the security of their networks and systems. Organizations are urged to take immediate action to protect against these vulnerabilities.