Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE: detect and mitigate cups foomatic-rip CVE-2024-47176 2024-47177 #2975

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

tixxdz
Copy link
Member

@tixxdz tixxdz commented Oct 3, 2024

https://www.cve.org/CVERecord?id=CVE-2024-47177
GHSA-rj88-6mr5-rcw8 https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

In Summary there are four vulnerabilities:

"CUPS is a standards-based, open-source printing system, and cups-browsed contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. cups-browsed binds to INADDR_ANY:631, causing it to trust any packet from any source, and can cause the Get-Printer-Attributes IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to."

The commands are executed through foomatic-rip binary, to detect such executions run the following filter on tetragon JSON events:

jq 'select(.process_exec != null) |
select(.process_exec.parent.binary | contains("foomatic-rip"))'
/var/log/tetragon/tetragon.log

This policy can detect and block foomatic-rip binary from executing commands, however according to CUPS developers:
"...we can certainly recommend that people not use Foomatic, but there are likely
hundreds of older printer models (before 2010) that are only supported through
Foomatic."

CVE: detect and mitigate cups foomatic-rip CVE-2024-47176 2024-47177

https://www.cve.org/CVERecord?id=CVE-2024-47177
GHSA-rj88-6mr5-rcw8
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

In Summary there are four vulnerabilities:

"CUPS is a standards-based, open-source printing system, and `cups-browsed` contains
network printing functionality including, but not limited to, auto-discovering print
services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it
to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP
request to an attacker controlled URL. When combined with other vulnerabilities,
such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute
arbitrary commands remotely on the target machine without authentication when a
malicious printer is printed to."

The commands are executed through foomatic-rip binary, to detect such
executions run the following filter on tetragon JSON events:

  jq 'select(.process_exec != null) | \
     select(.process_exec.parent.binary | contains("foomatic-rip"))' \
     /var/log/tetragon/tetragon.log

This policy can detect and block foomatic-rip binary from executing
commands, however according to CUPS developers:
"...we can certainly recommend that people not use Foomatic, but there are likely
 hundreds of older printer models (before 2010) that are only supported through
 Foomatic."

Signed-off-by: Djalal Harouni <[email protected]>
@tixxdz tixxdz added the release-note/minor This PR introduces a minor user-visible change label Oct 3, 2024
@tixxdz tixxdz requested a review from a team as a code owner October 3, 2024 19:22
@tixxdz tixxdz requested a review from jrfastab October 3, 2024 19:22
- operator: "In"
values:
# Add your foomatic-rip paths here
- "/usr/lib/cups/filter/foomatic-rip"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, thanks for nice polity! Maybe we can use Postfix operator and check only cups/filter/foomatic-rip ?

@lambdanis
Copy link
Contributor

@djalal Could you move this policy to examples/policylibrary/cves? Let's merge it then.

Comment on lines +54 to +56
# Metigation:
#
# * Disable BrowerRemoteProtocol in /etc/cups/cups-browsed.conf
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Metigation:
#
# * Disable BrowerRemoteProtocol in /etc/cups/cups-browsed.conf
# Mitigation:
#
# * Disable BrowseRemoteProtocol in /etc/cups/cups-browsed.conf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-note/minor This PR introduces a minor user-visible change
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants