Following our latest update, we've enhanced the visibility query to now detect any identified host running CUPS. This update may result in a spike in changes, so please ensure you check the dashboard for the latest insights.
Additionally, we have published two new hunting queries for identifying port 631 usage and shell executions under CUPS.
Axon reports have also been published for Team Axon customers, including an updated list of deliverables.
We continue to monitor the CUPS vulnerability and will provide further updates as necessary. Should you have any questions regarding the queries or any other concerns, please don't hesitate to reach out.
Sincerely, Team Axon
Posted Oct 01, 2024 - 16:00 UTC
Update
Dear Customers,
Following our recent update regarding the CUPS vulnerability, we would like to inform you that our team is still actively researching this issue.
This vulnerability allows for remote code execution through a chain of exploits in the CUPS package, which is responsible for managing print jobs and queues, including internet-based printing. The attack requires a victim to print through a malicious printer registered by the attacker.
We’ve observed the publication of several Proof-of-Concepts related to this vulnerability, and as it has gained significant attention, new details continue to emerge.
According to the vulnerability's publisher, the following packages are affected: -cups-browsed earlier or equal than 2.0.1 -libcupsfilters earlier or equal than 2.1b1 -libppd earlier or equal than 2.1b1 -cups-filters earlier or equal than 2.0.1
While we continue to research the details, here are some recommended mitigation steps: -If the cups-browsed service is not required, consider disabling it. -Update the CUPS package on relevant systems. -If your system cannot be updated or requires the service, block all traffic to UDP port 631.
Our team will provide further updates and potential deliverables as more information becomes available.
Sincerely, Team Axon
Posted Sep 29, 2024 - 18:07 UTC
Investigating
Team AXON is aware of a publication about the potential critical RCE flaw related to CUPS, affecting UNIX systems. This vulnerability, according to the publications allows a remote unauthenticated attacker to silently replace existing printers’ (or install new ones) IPP URLs with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started. This vulnerability can be exploited from within the LAN, and more severely from the public internet.
The vulnerability is still under team AXON's evaluation. However, the initial information indicates that the vulnerability can be exploited using a UDP packet to port 631 of the victim host from the internet.
Hence, we created a visibility dashboard to identify hosts that received traffic from external IP addresses towards port 631 (UDP). This dashboard can be found in the Hunters portal, by navigating to: "Data" --> "Visibility" --> “UNIX - Potential CUPS RCE - Visibility Dashboard - Incoming UDP Network Traffic (port 631) from External IPv4 Addresses”
Our team will provide updates after deeply analyzing and assessing the vulnerability, including potential deliverables. In case of identification of impacted customers, they will be notified directly.
For further assistance, please don't hesitate to contact us.