Guidance for handling CUPS remote code execution vulnerability using Microsoft Security capabilities

A new critical remote code execution (RCE) vulnerability affecting the Common Unix Printing System (CUPS) was disclosed last week, putting organizations using Unix (Linux, Gnu, and other systems) at risk. This blog post shows you how you can easily discover if your organization is vulnerable to the new critical unauthenticated RCE flaw in your CUPS printing system and view remediation guidance.

Versions affected:

• CVE-2024-47176: cup-browsed binds on UDP port 631, allowing packets from any source. (Cup Search ≤ 2.0.1)
• CVE-2024-47076: libcupsfilters does not validate IPP properties, allowing attacker-controlled data (libcupsfilters ≤ 2.1b1).
• CVE-2024-47175: libppd does not sanitize IPP properties, which allows data injection. (libppd ≤ 2.1b1)
• CVE-2024-47177: foomatic-rip allows execution of arbitrary commands via the FoomaticRIPCommandLine PPD parameter. (Cup filter ≤ 2.0.)*

* This vulnerability will be reported soon.

influence

A remote attacker could replace or install a printer with a malicious IPP URL, which could lead to arbitrary command execution when a print job is initiated.

We show how organizations can leverage attack vector analysis capabilities with the Microsoft Defender suite to pinpoint and neutralize threats posed by these events. Our investigation will focus on mapping vulnerabilities, assessing affected assets, measuring potential impacts through blast radius analysis, and implementing effective mitigation.

Recommendations for mitigation and best practices

Mitigating the risks associated with vulnerabilities requires a combination of proactive and real-time defense. Here are some recommendations:

• Update the CUPS package.
• Disable and remove the Cup navigation service if not required.
• Block traffic on UDP port 631 and DNS-SD traffic if not required.
  

Mapping your organization’s CUPS vulnerabilities:

The first step in incident management is mapping the affected software within your organization’s assets. The Defender Vulnerability Management solution provides comprehensive vulnerability assessment across all devices.

You can also use the following KQL query: this link, This query searches for software vulnerabilities related to a given CVE and summarizes them by device name, OS version, and device ID.

DeviceTvmSoftwareVulnerabilities
| where CveId has_any ("CVE-2024-47176", "CVE-2024-47076", "CVE-2024-47175")
| summarize by DeviceName, DeviceId, OS=strcat(OSPlatform, "-", OSVersion), SoftwareName, SoftwareVersion

Use Cloud Security Explorer

You can use the Cloud Security Explorer feature within Defender for Cloud to perform health-related queries across Azure, AWS, GCP, and code repositories. This allows you to investigate specific CVEs, identify affected systems, and understand the associated risks.

We created a specific query for this CVE to help you get an initial assessment of the threat this vulnerability poses to your organization. Customization options include:

Understand the potential impact of Microsoft Security Exposure Management

Attack vector:

Automated attack vector analysis maps potential attacks by starting with exposed resources and tracing possible paths an attacker could take to compromise critical assets. The analysis identifies exposed cloud computing resources, such as virtual machines and Kubernetes containers, that are vulnerable to remote code execution vulnerabilities and lateral movement steps that attackers can take in the environment. Attack vectors are provided for all supported cloud environments (Azure, AWS, and GCP). To display paths, filter the view by the following example title:

• Internet exposed Azure VM with RCE vulnerability
• Internet-exposed GCP compute instances with RCE vulnerabilities
• Internet-Exposed AWS EC2 Instances with RCE Vulnerability

Attack vector analysis is available in both Microsoft Security Exposure Management and Microsoft Defender for Cloud.

Critical Assets:

Additionally, we recommend using the following query to filter out critical assets (devices identified as sensitive by the Critical Asset Protection rules engine) affected by the vulnerability: this link:

ExposureGraphNodes 
| where NodeProperties has 'criticalityLevel' 
| where NodeLabel in ('microsoft.compute/virtualmachines', 'compute.instances', 'ec2.instance', 'device', 'container-image', 'microsoft.hybridcompute/machines') 
| join kind=inner (ExposureGraphEdges | where SourceNodeName in ('CVE-2024-47076', 'CVE-2024-47175', 'CVE-2024-47176', 'CVE-2024-47177')) 
    on $left.NodeId == $right.TargetNodeId

Asset Exposure:

Asset exposure provides a complementary perspective by revealing all pathways leading to vulnerable objects. Use this feature according to the instructions provided. hereYou can identify potential areas of the attack surface that could lead to vulnerable resources. Hardening your attack surface reduces the risk that vulnerable resources within you will be discovered and exploited.

conclusion

By following these guidelines and leveraging end-to-end integrated Microsoft security products, organizations can better prepare for, prevent, and respond to attacks, ensuring a more secure and resilient environment. The above process provides a comprehensive approach to protecting your organization, but continuous monitoring, updates, and adaptation to new threats are essential to maintaining strong security.