Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE: detect and mitigate cups foomatic-rip CVE-2024-47176 2024-47177 #2975

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

CVE: detect and mitigate cups foomatic-rip CVE-2024-47176 2024-47177 #2975

wants to merge 1 commit into from

Conversation

tixxdz
Copy link
Member

@tixxdz tixxdz commented Oct 3, 2024

https://www.cve.org/CVERecord?id=CVE-2024-47177
GHSA-rj88-6mr5-rcw8 https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

In Summary there are four vulnerabilities:

"CUPS is a standards-based, open-source printing system, and cups-browsed contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. cups-browsed binds to INADDR_ANY:631, causing it to trust any packet from any source, and can cause the Get-Printer-Attributes IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to."

The commands are executed through foomatic-rip binary, to detect such executions run the following filter on tetragon JSON events:

jq 'select(.process_exec != null) |
select(.process_exec.parent.binary | contains("foomatic-rip"))'
/var/log/tetragon/tetragon.log

This policy can detect and block foomatic-rip binary from executing commands, however according to CUPS developers:
"...we can certainly recommend that people not use Foomatic, but there are likely
hundreds of older printer models (before 2010) that are only supported through
Foomatic."

CVE: detect and mitigate cups foomatic-rip CVE-2024-47176 2024-47177

@tixxdz
CVE: detect and mitigate cups foomatic-rip CVE-2024-47176 2024-47177
7dc7051 
https://www.cve.org/CVERecord?id=CVE-2024-47177
GHSA-rj88-6mr5-rcw8
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

In Summary there are four vulnerabilities:

"CUPS is a standards-based, open-source printing system, and `cups-browsed` contains
network printing functionality including, but not limited to, auto-discovering print
services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it
to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP
request to an attacker controlled URL. When combined with other vulnerabilities,
such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute
arbitrary commands remotely on the target machine without authentication when a
malicious printer is printed to."

The commands are executed through foomatic-rip binary, to detect such
executions run the following filter on tetragon JSON events:

  jq 'select(.process_exec != null) | \
     select(.process_exec.parent.binary | contains("foomatic-rip"))' \
     /var/log/tetragon/tetragon.log

This policy can detect and block foomatic-rip binary from executing
commands, however according to CUPS developers:
"...we can certainly recommend that people not use Foomatic, but there are likely
 hundreds of older printer models (before 2010) that are only supported through
 Foomatic."

Signed-off-by: Djalal Harouni <[email protected]>
@tixxdz tixxdz added the release-note/minor This PR introduces a minor user-visible change label Oct 3, 2024
@tixxdz tixxdz requested a review from a team as a code owner October 3, 2024 19:22
@tixxdz tixxdz requested a review from jrfastab October 3, 2024 19:22
anfedotoff
anfedotoff reviewed Oct 7, 2024
View reviewed changes
examples/tracingpolicy/cves/cve-cups-CVE-2024-47176-2024-47177.yaml
- operator: "In"
values:
# Add your foomatic-rip paths here
- "/usr/lib/cups/filter/foomatic-rip"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, thanks for nice polity! Maybe we can use Postfix operator and check only cups/filter/foomatic-rip ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anfedotoff anfedotoff anfedotoff left review comments

@jrfastab jrfastab Awaiting requested review from jrfastab jrfastab is a code owner automatically assigned from cilium/tetragon

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
release-note/minor This PR introduces a minor user-visible change
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tixxdz @anfedotoff