Security Controls for Mitigating CUPS Vulnerabilities

A recent vulnerability in the Common Unix Printing System (CUPS) allows attackers to execute remote code on Linux and potentially macOS systems. This vulnerability enables arbitrary command execution with the privileges of the "lp" user, creating a severe risk for systems using CUPS in network environments.

Summary of Key Points

• Attack Vector: Vulnerabilities can be exploited over the Wide Area Network (WAN), particularly impacting servers accessible via the internet.
• Impact: Attackers can achieve Remote Code Execution (RCE) with the privileges of the lp user, albeit with some restrictions imposed by the AppArmor profile.
• User Engagement: Exploitation requires user action (the need to print something).
• CVE Summary: A total of four CVEs have been identified that facilitate RCE.
• Exposure Risk: Numerous CUPS services are currently exposed and vulnerable on the internet.
• Affected Vendors: This issue impacts various vendors, including those using Linux and macOS platforms.

CVE IDs:

• CVE-2024-47176
• CVE-2024-47076
• CVE-2024-47175
• CVE-2024-47177

Overview

CUPS is an open-source print management system that turns computers into print servers. With modular design, it’s widely used on Linux desktops and macOS. The vulnerable component, cups-browsed, is used to discover printers on networks and automatically configure them.

Disclosed publicly on September 26th, 2024, after leaked details, this exploit enables attackers to send malicious IPP requests that result in command execution on vulnerable machines. The public disclosure without an available fix highlights the critical need for robust security controls rather than relying on a patch solution.

How ZEST Can Help Mitigate this Issue

At ZEST, our mitigation engine provides a unique approach to neutralizing vulnerabilities like the CUPS RCE attack. By analyzing native security measures and cloud compensating controls, ZEST delivers tailored Resolution Paths designed specifically for the impacted assets.

The mitigation paths below are provided to ZEST customers out of the box within the ZEST platform.

AWS Security Controls and Mitigations

Since no immediate fix is available, focusing on security controls in your AWS environment is crucial. Here’s how you can mitigate the risk using AWS controls:

1. Network Segmentation and Security Groups

Isolate any EC2 instances running CUPS from public networks by configuring AWS Security Groups:

Block access to port 631 (used by CUPS) for inbound traffic from untrusted IPs or the public internet.

1aws ec2 revoke-security-group-ingress --group-id <sg-id> --protocol tcp --port 631 --cidr 0.0.0.0/0

1aws ec2 revoke-security-group-ingress --group-id <sg-id> --protocol tcp --port 631 --cidr 0.0.0.0/0

2. Enable VPC Flow Logs and AWS CloudTrail

Ensure VPC Flow Logs and AWS CloudTrail are enabled to monitor and log traffic to port 631. Look for suspicious activity such as UDP requests followed by command executions or unusual lp user activity.

1aws ec2 create-flow-logs --resource-type VPC --resource-id <vpc-id> --traffic-type ALL --log-group-name my-flow-logs

3. Use AWS Systems Manager (SSM) to Disable CUPS

If CUPS is not required for your environment, disable and remove it using AWS Systems Manager to manage the EC2 instances remotely:

1aws ssm send-command --document-name "AWS-RunShellScript" --parameters 'commands=["sudo systemctl stop cups", "sudo apt purge cups"]' --targets "InstanceIds=<instance-id>"

4. Network Access Control Lists (NACLs)

Add NACL rules in your VPC to block incoming traffic to UDP 631 from untrusted sources:

1aws ec2 create-network-acl-entry --network-acl-id <acl-id> --rule-number 100 --protocol 17 --port-range From=631,To=631 --cidr-block 0.0.0.0/0 --rule-action deny

GCP Security Controls and Mitigations

Since no immediate fix is available, focusing on security controls in your GCP environment is crucial. Here’s how you can mitigate the risk using GCP controls:

1. Network Segmentation with VPC Firewall Rules

Isolate any Compute Engine instances running CUPS from public networks by configuring VPC firewall rules:

Block access to port 631 (used by CUPS) for inbound traffic from untrusted IPs or the public internet.

1gcloud compute firewall-rules create block-cups --direction=INGRESS --priority=1000 --network=<network> --action=DENY --rules=tcp:631,udp:631 --source-ranges=0.0.0.0/0

2. Enable VPC Flow Logs and Stackdriver Logging

Ensure VPC Flow Logs and Cloud Logging are enabled to monitor and log traffic to port 631. Look for suspicious activity, such as UDP requests followed by command executions or unusual activity related to the "lp" user.

1gcloud logging sinks create my-vpc-logs \   storage.googleapis.com/projects/my-project-id/locations/us-central1/buckets/my-vpc-logs

1gcloud compute networks subnets update default --region=<region> --enable-flow-logs

3. Use Google Cloud Operations to Disable CUPS

If CUPS is not required for your environment, disable and remove it using Cloud Operations to remotely manage Compute Engine instances.

Alternatively, use OS Inventory Management in GCP to automate this process across multiple instances.

1gcloud compute ssh instance-name --command="sudo systemctl stop cups && sudo apt purge cups"

4. Configure GCP Firewall Policies

Use Hierarchical Firewall Policies to restrict access to UDP 631 at the organization or project level:

1gcloud compute org-policies enforce firewall-rules create block-ipp-udp --network=<network> --rules=udp:631 --source-ranges=0.0.0.0/0 --action=DENY

Detecting Vulnerable CUPS Instances

Use Cloud Monitoring to run custom checks across your instances to see if CUPS or "cups-browsed" is running:

1gcloud compute ssh instance-name --command="systemctl status cups-browsed"

Azure Security Controls and Mitigations

1. Network Segmentation with Network Security Groups (NSGs)

Isolate any Azure VMs running CUPS by configuring Network Security Groups (NSGs) to block access to port 631 from untrusted IP addresses or the public internet:

Block inbound traffic on TCP/UDP port 631.

1az network nsg rule create --nsg-name <nsg-name> --resource-group <resource-group> --name Block-CUPS --priority 100 --direction Inbound --access Deny --protocol Tcp --destination-port-ranges 631 --source-address-prefixes Internet

1az network nsg rule create --nsg-name <nsg-name> --resource-group <resource-group> --name Block-CUPS-UDP --priority 100 --direction Inbound --access Deny --protocol Udp --destination-port-ranges 631 --source-address-prefixes Internet

2. Enable Azure Network Watcher and Diagnostic Logs

Ensure Azure Network Watcher is enabled to monitor network traffic and log activity to port 631. Review the logs for any unusual behavior such as unexpected UDP traffic followed by command execution from the lp user.

1az network watcher flow-log create --resource-group <resource-group> --nsg <nsg-name> --enabled true --retention 30 --storage-account <storage-account>

1az monitor diagnostic-settings create --resource /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Network/networkSecurityGroups/<nsg-name> --name myFlowLogs --logs '[{"category": "NetworkSecurityGroupFlowEvent"}]' --workspace <log-analytics-workspace-id>

3. Use Azure Automation to Disable CUPS

If CUPS is not required, disable and remove it using Azure Automation to remotely manage your VMs. You can create and run a PowerShell or Shell script to disable the CUPS service:

1az vm run-command invoke --command-id RunShellScript --name <vm-name> --resource-group <resource-group> --scripts 'sudo systemctl stop cups && sudo apt purge cups'

You can also set up an Automation Account with Runbooks to automate this across multiple VMs.

4. Implement Azure Firewall Rules

Set up Azure Firewall to block access to UDP port 631 from untrusted networks:

1az network firewall application-rule create --resource-group <resource-group> --firewall-name <firewall-name> --collection-name "BlockCUPS" --rule-name "DenyCUPS" --action Deny --protocols=UDP --destination-ports=631 --target-fqdns "*"

In Cases Where There is No Fix is Available – ZEST Resolution Paths Will Find a Way

Currently, there are no patches available for the CUPS vulnerability. In these cases, ZEST’s Resolution Platform will identify and define the best mitigation path using existing security controls to isolate vulnerable services, monitor network traffic for suspicious activity and minimize exposure.

Ready to see how ZEST is helping organizations mitigate cloud risks? Schedule a demo with our team.