Last updated at Mon, 14 Oct 2024 09:42:02 GMT
On Thursday, September 26, 2024, a security researcher 公开披露 several vulnerabilities affecting different components of OpenPrinting’s 杯 (通用Unix打印系统). 杯 is a popular IPP-based open-source printing system primarily (but not only) for Linux 和 UNIX-like operating systems. 根据研究者的说法, a successful exploit chain allows remote unauthenticated attackers to replace existing printers’ IPP URLs with malicious URLs, resulting in arbitrary comm和 execution when a print job is started from the target device.
披露的漏洞包括:
- cve - 2024 - 47176: 影响
cups-browsed<= 2.0.1. 的 service binds on UDP *:631, trusting any packet from any source to trigger aGet-Printer-Attributes向攻击者控制的URL发送IPP请求. - cve - 2024 - 47076: 影响
libcupsfilters<= 2.1b1.cfGetPrinterAttributes5does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the 杯 system. - cve - 2024 - 47175: 影响
libppd<= 2.1b1. 的ppdCreatePPDFromIPP2API does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker-controlled data in the resulting PPD. - cve - 2024 - 47177: 影响
cups-filters<= 2.0.1. 的foomatic-ripfilter allows arbitrary comm和 execution via theFoomaticRIPComm和Line产后抑郁症的参数.
根据研究者的说法's disclosure blog, affected systems are exploitable from the public internet, 或者跨网段, if UDP port 631 is exposed 和 the vulnerable service is listening. 杯 is enabled by default on most popular Linux distributions, but exploitability may vary across implementations. As of 6 PM ET on Thursday, September 26, Red Hat has 一个顾问 available noting that they consider this group of vulnerabilities of 重要的 严重性而不是 至关重要的.
公共漏洞可用. 大约有75个,000 杯 daemons exposed to the public internet at time of disclosure, 但值得注意的是, internet exposure search queries may not be entirely accurate — for instance, 如果它们正在检查TCP 631 (i.e., cupsd HTTP-based web administration 服务) 和 not UDP 631 (the affected cups-browsed 服务).
缓解指导
We expect patches 和 remediation guidance to be forthcoming from affected vendors 和 distributions over the next few days. While the vulnerabilities are not known to be exploited in the wild at time of disclosure, technical details were leaked before the issues were released publicly, which may mean attackers 和 researchers have had opportunity to develop exploit code. We advise 应用ing patches 和/or mitigations as soon as they are available as a precaution, even if exploitability is more limited in some implementations.
其他缓解指导:
- 禁用并删除
cups-browsed如果不需要,请提供服务 - Block or restrict traffic to UDP port 631 (as noted below, this doesn’t prevent exploitation on the LAN)
Rapid7’s own testing confirms that blocking UDP port 631 will not effectively prevent exploitation on the LAN, 由于存在次级通道(e.g.(mDNS),可以促进利用.
Rapid7客户
InsightVM 和 Nexpose customers can assess their exposure to these CVEs with authenticated checks that look for affected 杯 packages on UNIX-based systems. 的se checks were released in a second content release at 7:40 PM ET on Thursday, September 26. We expect to update with additional checks in the coming days as vendors release fixes 和 more information.
InsightIDR 和 Managed 检测和响应 customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes 和 proper detection coverage. Below is a non-exhaustive list of detections that are deployed 和 will alert on behavior related to exploitation of recent 杯 vulnerabilities:
- Suspicious Process - IPP Print Process Launching Shell
了解更多关于Rapid7的表面命令 ▶︎
表面命令 provides a continuous 360° view of your attack surface that teams can trust to detect 和 prioritize security issues from endpoint to cloud.
