-
Notifications
You must be signed in to change notification settings - Fork 380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE: detect and mitigate cups foomatic-rip CVE-2024-47176 2024-47177 #2975
base: main
Are you sure you want to change the base?
Conversation
https://www.cve.org/CVERecord?id=CVE-2024-47177 GHSA-rj88-6mr5-rcw8 https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/ In Summary there are four vulnerabilities: "CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to." The commands are executed through foomatic-rip binary, to detect such executions run the following filter on tetragon JSON events: jq 'select(.process_exec != null) | \ select(.process_exec.parent.binary | contains("foomatic-rip"))' \ /var/log/tetragon/tetragon.log This policy can detect and block foomatic-rip binary from executing commands, however according to CUPS developers: "...we can certainly recommend that people not use Foomatic, but there are likely hundreds of older printer models (before 2010) that are only supported through Foomatic." Signed-off-by: Djalal Harouni <[email protected]>
- operator: "In" | ||
values: | ||
# Add your foomatic-rip paths here | ||
- "/usr/lib/cups/filter/foomatic-rip" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, thanks for nice polity! Maybe we can use Postfix
operator and check only cups/filter/foomatic-rip
?
@djalal Could you move this policy to |
# Metigation: | ||
# | ||
# * Disable BrowerRemoteProtocol in /etc/cups/cups-browsed.conf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# Metigation: | |
# | |
# * Disable BrowerRemoteProtocol in /etc/cups/cups-browsed.conf | |
# Mitigation: | |
# | |
# * Disable BrowseRemoteProtocol in /etc/cups/cups-browsed.conf |
https://www.cve.org/CVERecord?id=CVE-2024-47177
GHSA-rj88-6mr5-rcw8 https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
In Summary there are four vulnerabilities:
"CUPS is a standards-based, open-source printing system, and
cups-browsed
contains network printing functionality including, but not limited to, auto-discovering print services and shared printers.cups-browsed
binds toINADDR_ANY:631
, causing it to trust any packet from any source, and can cause theGet-Printer-Attributes
IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to."The commands are executed through foomatic-rip binary, to detect such executions run the following filter on tetragon JSON events:
jq 'select(.process_exec != null) |
select(.process_exec.parent.binary | contains("foomatic-rip"))'
/var/log/tetragon/tetragon.log
This policy can detect and block foomatic-rip binary from executing commands, however according to CUPS developers:
"...we can certainly recommend that people not use Foomatic, but there are likely
hundreds of older printer models (before 2010) that are only supported through
Foomatic."