Keypoints
- Four CVEs (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177) enable a chain leading to remote command execution in CUPS.
- Exploitation targets the cups-browsed daemon, typically listening on UDP port 631, which accepts unauthenticated requests.
- The attack flow uses vulnerabilities that bypass validation/sanitization and then execute supplied data via the foomatic-rip process.
- Severity: three vulnerabilities rated High and one rated Critical, requiring prompt patching or mitigations.
- Detection: watch for foomatic-rip spawning shell commands and any process listening on UDP/TCP port 631; Falco/Sysdig rules are provided.
- Mitigation options: apply vendor patches, stop/disable cups-browsed, restart CUPS, and block UDP/TCP port 631 at the firewall.
- Sysdig provides vulnerability inventory, runtime detection rules, and automated response actions (kill process/container, syscall capture).
MITRE Techniques
- [T1203] Exploitation for Client Execution – Vulnerabilities in CUPS are used to execute arbitrary commands on the target system (‘a remote attacker is able to execute arbitrary commands on the affected system.’)
- [T1068] Exploitation for Privilege Escalation – Commands initially run as the limited ‘lp’ user but misconfigurations may enable escalation (‘Although the commands run under the ‘lp’ user with limited privileges, this still poses a risk due to the possibility of privilege escalations and misconfigurations’)
- [T1070] Indicator Removal on Host / Defense Evasion – Attackers may leverage CUPS flaws to avoid detection and blend activity with normal printing processes (‘Exploiting CUPS vulnerabilities may allow attackers to evade detection.’)
- [T1071] Application Layer Protocol – Post-exploitation command execution uses the foomatic-rip process as a channel for attacker-controlled commands (‘Using the “foomatic-rip” process for command execution as part of post-exploitation.’)
Indicators of Compromise
- [CVE] vulnerability identifiers – CVE-2024-47176, CVE-2024-47177, and 2 more (CVE-2024-47076, CVE-2024-47175)
- [Port] targeted service port – UDP/TCP port 631 (cups-browsed listens here and may be exposed)
- [Process] suspicious process names – foomatic-rip (executes attacker-supplied commands), cups-browsed (listening daemon)
- [URLs] vendor/research references – https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/, https://sysdig.com/blog/detecting-and-mitigating-remote-code-execution-exploits-in-cups/
Check exposure by verifying the cups-browsed service and any listeners on port 631: sudo systemctl status cups-browsed and sudo ss -lntup | grep 631. If cups-browsed is running and reachable, the chain of CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177 can be triggered by sending a crafted UDP packet containing a URL that causes the target to fetch and process a print job, ultimately invoking foomatic-rip to run attacker-controlled commands.
Detect active exploitation by monitoring for foomatic-rip spawning shell processes and for cups-browsed binding to UDP port 631. Use the provided Falco/Sysdig rules: one that flags spawned_process && shell_procs with proc.pname=”foomatic-rip” (CRITICAL) and another that alerts when cups-browsed binds to UDP port 631 (INFO). Integrate these into runtime detection and configure responses such as “Kill Process” or “Kill Container” for automated containment and syscall capture for forensic analysis.
Mitigate immediately by applying vendor patches (Ubuntu, RedHat, and other distributors have releases), or temporarily disable the CUPS browser and block the port: sudo systemctl stop cups-browsed; sudo systemctl disable cups-browsed; sudo systemctl restart cups; and block UDP 631 (sudo ufw deny proto udp from any to any port 631). For cloud/host posture, ensure print services are disabled where unnecessary and use vulnerability inventory to identify affected systems for prioritized remediation.
Read more: https://sysdig.com/blog/detecting-and-mitigating-remote-code-execution-exploits-in-cups/