Automated Scanner Developed to Detect Servers Vulnerable to CUPS RCE Attacks

October 8, 2024

An automated scanner has been launched to assist security experts in identifying devices that are susceptible to the Common Unix Printing System (CUPS) Remote Code Execution (RCE) vulnerability, known as CVE-2024-47176. The vulnerability, which allows threat actors to execute arbitrary remote code under certain conditions, was revealed last month by Simone Margaritelli, the individual who discovered it. Despite the limited real-world implications of its RCE aspect due to the prerequisites for exploitation, it was later demonstrated by Akamai that CVE-2024-47176 also provides the potential for a 600x increase in distributed denial of service (DDoS) attacks.

The scanner was developed by cybersecurity researcher Marcus Hitchins, also known as 'MalwareTech', with the aim of aiding system administrators in scanning their networks to promptly detect devices running CUPS-Browsed services that are vulnerable. Hitchins explained, "The vulnerability arises from the fact that cups-browsed binds its control port (UDP port 631) to INADDR_ANY, exposing it to the world. Since requests are not authenticated, anyone capable of reaching the control port can instruct cups-browsed to perform printer discovered." He further added, "In cases when the port is not reachable from the internet (due to firewalls or NAT), it may still be reachable via the local network, enabling privilege escalation and lateral movement."

Hitchins has developed a Python script for the scanner designed to scan local networks for vulnerable cups-browsed instances. The script sets up an HTTP server on the scanning machine that listens for incoming HTTP requests from devices on the network. The vulnerability, CVE-2024-47176, arises from CUPS-browsed binding its control port to INADDR_ANY, thereby exposing the port to the network and allowing any system to send commands to it. The scanner sends a custom UDP packet to the network's broadcast address on port 631, instructing CUPS instances to send a request back. Only devices running a vulnerable cups-browsed instance that respond to the UDP packet are marked as vulnerable.

The results are logged in two files: one containing the IP addresses and CUPS version of the devices that responded, and another containing the raw HTTP requests received by the callback server for deeper analysis. This scanner enables system administrators to plan and execute targeted patching or reconfiguration action, thereby reducing the exposure of CVE-2024-47176 online. While the script's effectiveness and safety are not guaranteed, it should be used at one's own risk.

Related News

• Critical Unpatched Vulnerabilities in CUPS Open-Source Printing System Risk Linux Systems

Latest News

• Microsoft's October 2024 Patch Tuesday Addresses Five Zero-days and 118 Vulnerabilities
• Ivanti Alerts on Three New Actively Exploited CSA Zero-Days
• Qualcomm Addresses High-Risk Zero-Day Vulnerability in DSP Service
• Chinese Hacking Group Breaches Major U.S. Broadband Providers
• 6 Million WordPress Sites at Risk from XSS Vulnerability in LiteSpeed Cache Plug-In