Security Controls for Mitigating CUPS Vulnerabilities within the Cloud

A recent vulnerability in the Common Unix Printing System (CUPS) allows attackers to execute remote code on Linux and potentially macOS systems. This vulnerability enables arbitrary command execution with the privileges of the lp user, creating a severe risk for systems using CUPS in network environments.

Summary of Key Points

  • Attack Vector: Vulnerabilities can be exploited over the Wide Area Network (WAN), particularly impacting servers accessible via the internet.
  • Impact: Attackers can achieve Remote Code Execution (RCE) with the privileges of the lp user, albeit with some restrictions imposed by the AppArmor profile.
  • User Engagement: Exploitation requires user action (the need to print something).
  • CVE Summary: A total of four CVEs have been identified that facilitate RCE.
  • Exposure Risk: Numerous CUPS services are currently exposed and vulnerable on the internet.
  • Affected Vendors: This issue impacts various vendors, including those using Linux and macOS platforms.

CVE IDs:

  • CVE-2024-47176
  • CVE-2024-47076
  • CVE-2024-47175
  • CVE-2024-47177

Overview 

CUPS is an open-source print management system that turns computers into print servers. With modular design, it’s widely used on Linux desktops and macOS. The vulnerable component, cups-browsed, is used to discover printers on networks and automatically configure them.
 
Disclosed publicly on September 26th, 2024, after leaked details, this exploit enables attackers to send malicious IPP requests that result in command execution on vulnerable machines. The public disclosure without an available fix highlights the critical need for robust security controls rather than relying on a patch solution.

How ZEST Can Help Mitigate this Issue

At ZEST, our mitigation engine provides a unique approach to neutralizing vulnerabilities like the CUPS RCE attack. By analyzing native security measures and cloud compensating controls, ZEST delivers tailored Resolution Paths designed specifically for the impacted assets. 

The mitigation paths below are provided to ZEST customers out of the box within the ZEST platform. 

AWS Security Controls and Mitigations

Since no immediate fix is available, focusing on security controls in your AWS environment is crucial. Here’s how you can mitigate the risk using AWS controls:

1. Network Segmentation and Security Groups

Isolate any EC2 instances running CUPS from public networks by configuring AWS Security Groups:

Block access to port 631 (used by CUPS) for inbound traffic from untrusted IPs or the public internet.

				
					aws ec2 revoke-security-group-ingress --group-id <sg-id> --protocol tcp --port 631 --cidr 0.0.0.0/0

				
			
				
					aws ec2 revoke-security-group-ingress --group-id <sg-id> --protocol udp --port 631 --cidr 0.0.0.0/0

				
			

2. Enable VPC Flow Logs and AWS CloudTrail

Ensure VPC Flow Logs and AWS CloudTrail are enabled to monitor and log traffic to port 631. Look for suspicious activity such as UDP requests followed by command executions or unusual lp user activity.

				
					aws ec2 create-flow-logs --resource-type VPC --resource-id <vpc-id> --traffic-type ALL --log-group-name my-flow-logs

				
			

3. Use AWS Systems Manager (SSM) to Disable CUPS

If CUPS is not required for your environment, disable and remove it using AWS Systems Manager to manage the EC2 instances remotely:

				
					aws ssm send-command --document-name "AWS-RunShellScript" --parameters 'commands=["sudo systemctl stop cups", "sudo apt purge cups"]' --targets "InstanceIds=<instance-id>"
				
			

4. Network Access Control Lists (NACLs)

Add NACL rules in your VPC to block incoming traffic to UDP 631 from untrusted sources:

				
					aws ec2 create-network-acl-entry --network-acl-id <acl-id> --rule-number 100 --protocol 17 --port-range From=631,To=631 --cidr-block 0.0.0.0/0 --rule-action deny
				
			

GCP Security Controls and Mitigations

Since no immediate fix is available, focusing on security controls in your GCP environment is crucial. Here’s how you can mitigate the risk using GCP controls:

1. Network Segmentation with VPC Firewall Rules

Isolate any Compute Engine instances running CUPS from public networks by configuring VPC firewall rules:

Block access to port 631 (used by CUPS) for inbound traffic from untrusted IPs or the public internet.

				
					gcloud compute firewall-rules create block-cups --direction=INGRESS --priority=1000 --network=<network> --action=DENY --rules=tcp:631,udp:631 --source-ranges=0.0.0.0/0
				
			

2. Enable VPC Flow Logs and Stackdriver Logging

Ensure VPC Flow Logs and Cloud Logging are enabled to monitor and log traffic to port 631. Look for suspicious activity, such as UDP requests followed by command executions or unusual activity related to the lp user.

				
					gcloud logging sinks create my-vpc-logs \   storage.googleapis.com/projects/my-project-id/locations/us-central1/buckets/my-vpc-logs
				
			
				
					gcloud compute networks subnets update default --region=<region> --enable-flow-logs
				
			

3. Use Google Cloud Operations to Disable CUPS

If CUPS is not required for your environment, disable and remove it using Cloud Operations to remotely manage Compute Engine instances.

				
					gcloud compute ssh instance-name --command="sudo systemctl stop cups && sudo apt purge cups"
				
			

Alternatively, use OS Inventory Management in GCP to automate this process across multiple instances.

4. Configure GCP Firewall Policies

Use Hierarchical Firewall Policies to restrict access to UDP 631 at the organization or project level:

				
					gcloud compute org-policies enforce firewall-rules create block-ipp-udp --network=<network> --rules=udp:631 --source-ranges=0.0.0.0/0 --action=DENY
				
			

Detecting Vulnerable CUPS Instances

Use Cloud Monitoring to run custom checks across your instances to see if CUPS or cups-browsed is running:

				
					gcloud compute ssh instance-name --command="systemctl status cups-browsed"

				
			

Azure Security Controls and Mitigations

1. Network Segmentation with Network Security Groups (NSGs)

Isolate any Azure VMs running CUPS by configuring Network Security Groups (NSGs) to block access to port 631 from untrusted IP addresses or the public internet:

Block inbound traffic on TCP/UDP port 631.

				
					az network nsg rule create --nsg-name <nsg-name> --resource-group <resource-group> --name Block-CUPS --priority 100 --direction Inbound --access Deny --protocol Tcp --destination-port-ranges 631 --source-address-prefixes Internet

				
			
				
					az network nsg rule create --nsg-name <nsg-name> --resource-group <resource-group> --name Block-CUPS-UDP --priority 100 --direction Inbound --access Deny --protocol Udp --destination-port-ranges 631 --source-address-prefixes Internet

				
			

2. Enable Azure Network Watcher and Diagnostic Logs

Ensure Azure Network Watcher is enabled to monitor network traffic and log activity to port 631. Review the logs for any unusual behavior such as unexpected UDP traffic followed by command execution from the lp user.

				
					az network watcher flow-log create --resource-group <resource-group> --nsg <nsg-name> --enabled true --retention 30 --storage-account <storage-account>

				
			
				
					az monitor diagnostic-settings create --resource /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Network/networkSecurityGroups/<nsg-name> --name myFlowLogs --logs '[{"category": "NetworkSecurityGroupFlowEvent"}]' --workspace <log-analytics-workspace-id>
				
			

3. Use Azure Automation to Disable CUPS

If CUPS is not required, disable and remove it using Azure Automation to remotely manage your VMs. You can create and run a PowerShell or Shell script to disable the CUPS service:

				
					az vm run-command invoke --command-id RunShellScript --name <vm-name> --resource-group <resource-group> --scripts 'sudo systemctl stop cups && sudo apt purge cups'
				
			

You can also set up an Automation Account with Runbooks to automate this across multiple VMs.

4. Implement Azure Firewall Rules

Set up Azure Firewall to block access to UDP port 631 from untrusted networks:

				
					az network firewall application-rule create --resource-group <resource-group> --firewall-name <firewall-name> --collection-name "BlockCUPS" --rule-name "DenyCUPS" --action Deny --protocols=UDP --destination-ports=631 --target-fqdns "*"
				
			

In Cases Where There is No Fix is Available – ZEST Resolution Paths Will Find a Way

Currently, there are no patches available for the CUPS vulnerability. In these cases, ZEST’s Resolution Platform will identify and define the best mitigation path using existing security controls to isolate vulnerable services, monitor network traffic for suspicious activity and minimize exposure.

Ready to see how ZEST is helping organizations mitigate cloud risks? Schedule a demo with our team. 

Share the Post:

Related Resources

From Weeks to Hours: How Zest Security is Redefining Cloud Security

Security Controls for Mitigating CUPS Vulnerabilities within the Cloud

A recent vulnerability in the Common Unix Printing System (CUPS)…

5 Key Takeaways: A Conversation with Matthew Hurewitz

We recently had a conversation with Matthew Hurewitz, Director of…

A Conversation with Matthew Hurewitz: The Cost of Remediation

The Top 21 Most Promising Israeli Start Ups 2024

Essential tools with critical security challenges

Why Resolution Paths Should Replace Risk Remediation

Every holiday and during occasional long summer weekends, my teams…

The hidden risks of Terraform providers

Terraform by HashiCorp is a leading tool for DevOps engineers…

Risk Mitigation Beyond Remediation

Cloud security remains a paramount concern for enterprises. Traditional security…

ZEST Security Aims to Resolve Cloud Risks

Cybersecurity startup ZEST Security emerged from stealth with an AI-powered…

ZEST Security Exits Stealth to Resolve, not Just Flag, Enterprise Cloud Risks Using GenAI

ZEST Security exited stealth today with its AI-powered cloud risk…

ZEST Security raises $5 million Seed round for cloud risk resolution platform

The Israeli startup’s platform provides paths that offer both mitigation…

This startup doesn’t just find your weaknesses, it also fixes them

ZEST Security saw mountains of weaknesses found by other products,…

AI-powered cloud risk resolution startup ZEST Security launches with $5M in funding

Artificial intelligence-powered cloud risk resolution platform startup ZEST Security Inc….

ZEST Security, Interview With CEO Snir Ben Shimol

ZEST Security a NYC-based provider of an AI-powered cloud risk…

ZEST Security Aims to Resolve, Not Just Mitigate Cloud Risks

ZEST Security emerged from stealth with $5 million funding and…

ZEST Security Exits Stealth to Resolve, not Just Flag, Enterprise Cloud Risks Using GenAI

Raises $5M from Hanaco and Silvertech Ventures to tackle the…

Meet ZEST: AI-Powered Cloud Risk Resolution

Today is a big day for me as a founder,…

Resolving your cloud risks with ZEST!