Summary of Key Points
- Attack Vector: Vulnerabilities can be exploited over the Wide Area Network (WAN), particularly impacting servers accessible via the internet.
- Impact: Attackers can achieve Remote Code Execution (RCE) with the privileges of the lp user, albeit with some restrictions imposed by the AppArmor profile.
- User Engagement: Exploitation requires user action (the need to print something).
- CVE Summary: A total of four CVEs have been identified that facilitate RCE.
- Exposure Risk: Numerous CUPS services are currently exposed and vulnerable on the internet.
- Affected Vendors: This issue impacts various vendors, including those using Linux and macOS platforms.
CVE IDs:
- CVE-2024-47176
- CVE-2024-47076
- CVE-2024-47175
- CVE-2024-47177
Overview
How ZEST Can Help Mitigate this Issue
At ZEST, our mitigation engine provides a unique approach to neutralizing vulnerabilities like the CUPS RCE attack. By analyzing native security measures and cloud compensating controls, ZEST delivers tailored Resolution Paths designed specifically for the impacted assets.
The mitigation paths below are provided to ZEST customers out of the box within the ZEST platform.
AWS Security Controls and Mitigations
Since no immediate fix is available, focusing on security controls in your AWS environment is crucial. Here’s how you can mitigate the risk using AWS controls:
1. Network Segmentation and Security Groups
Isolate any EC2 instances running CUPS from public networks by configuring AWS Security Groups:
Block access to port 631 (used by CUPS) for inbound traffic from untrusted IPs or the public internet.
aws ec2 revoke-security-group-ingress --group-id <sg-id> --protocol tcp --port 631 --cidr 0.0.0.0/0
aws ec2 revoke-security-group-ingress --group-id <sg-id> --protocol udp --port 631 --cidr 0.0.0.0/0
2. Enable VPC Flow Logs and AWS CloudTrail
Ensure VPC Flow Logs and AWS CloudTrail are enabled to monitor and log traffic to port 631. Look for suspicious activity such as UDP requests followed by command executions or unusual lp user activity.
aws ec2 create-flow-logs --resource-type VPC --resource-id <vpc-id> --traffic-type ALL --log-group-name my-flow-logs
3. Use AWS Systems Manager (SSM) to Disable CUPS
If CUPS is not required for your environment, disable and remove it using AWS Systems Manager to manage the EC2 instances remotely:
aws ssm send-command --document-name "AWS-RunShellScript" --parameters 'commands=["sudo systemctl stop cups", "sudo apt purge cups"]' --targets "InstanceIds=<instance-id>"
4. Network Access Control Lists (NACLs)
Add NACL rules in your VPC to block incoming traffic to UDP 631 from untrusted sources:
aws ec2 create-network-acl-entry --network-acl-id <acl-id> --rule-number 100 --protocol 17 --port-range From=631,To=631 --cidr-block 0.0.0.0/0 --rule-action deny
GCP Security Controls and Mitigations
Since no immediate fix is available, focusing on security controls in your GCP environment is crucial. Here’s how you can mitigate the risk using GCP controls:
1. Network Segmentation with VPC Firewall Rules
Isolate any Compute Engine instances running CUPS from public networks by configuring VPC firewall rules:
Block access to port 631 (used by CUPS) for inbound traffic from untrusted IPs or the public internet.
gcloud compute firewall-rules create block-cups --direction=INGRESS --priority=1000 --network=<network> --action=DENY --rules=tcp:631,udp:631 --source-ranges=0.0.0.0/0
2. Enable VPC Flow Logs and Stackdriver Logging
Ensure VPC Flow Logs and Cloud Logging are enabled to monitor and log traffic to port 631. Look for suspicious activity, such as UDP requests followed by command executions or unusual activity related to the lp user.
gcloud logging sinks create my-vpc-logs \ storage.googleapis.com/projects/my-project-id/locations/us-central1/buckets/my-vpc-logs
gcloud compute networks subnets update default --region=<region> --enable-flow-logs
3. Use Google Cloud Operations to Disable CUPS
If CUPS is not required for your environment, disable and remove it using Cloud Operations to remotely manage Compute Engine instances.
gcloud compute ssh instance-name --command="sudo systemctl stop cups && sudo apt purge cups"
Alternatively, use OS Inventory Management in GCP to automate this process across multiple instances.
4. Configure GCP Firewall Policies
Use Hierarchical Firewall Policies to restrict access to UDP 631 at the organization or project level:
gcloud compute org-policies enforce firewall-rules create block-ipp-udp --network=<network> --rules=udp:631 --source-ranges=0.0.0.0/0 --action=DENY
Detecting Vulnerable CUPS Instances
Use Cloud Monitoring to run custom checks across your instances to see if CUPS or cups-browsed is running:
gcloud compute ssh instance-name --command="systemctl status cups-browsed"
Azure Security Controls and Mitigations
1. Network Segmentation with Network Security Groups (NSGs)
Isolate any Azure VMs running CUPS by configuring Network Security Groups (NSGs) to block access to port 631 from untrusted IP addresses or the public internet:
Block inbound traffic on TCP/UDP port 631.
az network nsg rule create --nsg-name <nsg-name> --resource-group <resource-group> --name Block-CUPS --priority 100 --direction Inbound --access Deny --protocol Tcp --destination-port-ranges 631 --source-address-prefixes Internet
az network nsg rule create --nsg-name <nsg-name> --resource-group <resource-group> --name Block-CUPS-UDP --priority 100 --direction Inbound --access Deny --protocol Udp --destination-port-ranges 631 --source-address-prefixes Internet
2. Enable Azure Network Watcher and Diagnostic Logs
Ensure Azure Network Watcher is enabled to monitor network traffic and log activity to port 631. Review the logs for any unusual behavior such as unexpected UDP traffic followed by command execution from the lp user.
az network watcher flow-log create --resource-group <resource-group> --nsg <nsg-name> --enabled true --retention 30 --storage-account <storage-account>
az monitor diagnostic-settings create --resource /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Network/networkSecurityGroups/<nsg-name> --name myFlowLogs --logs '[{"category": "NetworkSecurityGroupFlowEvent"}]' --workspace <log-analytics-workspace-id>
3. Use Azure Automation to Disable CUPS
If CUPS is not required, disable and remove it using Azure Automation to remotely manage your VMs. You can create and run a PowerShell or Shell script to disable the CUPS service:
az vm run-command invoke --command-id RunShellScript --name <vm-name> --resource-group <resource-group> --scripts 'sudo systemctl stop cups && sudo apt purge cups'
You can also set up an Automation Account with Runbooks to automate this across multiple VMs.
4. Implement Azure Firewall Rules
Set up Azure Firewall to block access to UDP port 631 from untrusted networks:
az network firewall application-rule create --resource-group <resource-group> --firewall-name <firewall-name> --collection-name "BlockCUPS" --rule-name "DenyCUPS" --action Deny --protocols=UDP --destination-ports=631 --target-fqdns "*"
In Cases Where There is No Fix is Available – ZEST Resolution Paths Will Find a Way
Currently, there are no patches available for the CUPS vulnerability. In these cases, ZEST’s Resolution Platform will identify and define the best mitigation path using existing security controls to isolate vulnerable services, monitor network traffic for suspicious activity and minimize exposure.
Ready to see how ZEST is helping organizations mitigate cloud risks? Schedule a demo with our team.
