cbcvebase.
CVE-2024-47176
published 2024-09-26

CVE-2024-47176: CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to…

PriorityP184medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
62.27%
99.1th percentile
CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.

Affected

44 ranges· showing 25
VendorProductVersion rangeFixed in
applecups>= 0 < 2.3.3op2-3+deb11u102.3.3op2-3+deb11u10
applecups>= 0 < 2.3.3op2-3+deb11u92.3.3op2-3+deb11u9
applecups>= 0 < 2.4.2-3+deb12u92.4.2-3+deb12u9
applecups>= 0 < 2.4.2-3+deb12u82.4.2-3+deb12u8
applecups>= 0 < 2.4.10-3+deb13u12.4.10-3+deb13u1
applecups>= 0 < 2.4.10-22.4.10-2
applecups>= 0 < 2.4.10-42.4.10-4
applecups>= 0 < 2.4.10-22.4.10-2
debiancups< cups 2.4.2-3+deb12u8 (bookworm)cups 2.4.2-3+deb12u8 (bookworm)
debiancups< cups 2.4.2-3+deb12u9 (bookworm)cups 2.4.2-3+deb12u9 (bookworm)
debiancups-filters< cups-filters 1.28.17-3+deb12u1 (bookworm)cups-filters 1.28.17-3+deb12u1 (bookworm)
debiancups-filters
debiandebian_linux
debianlibppd< cups 2.4.2-3+deb12u8 (bookworm)cups 2.4.2-3+deb12u8 (bookworm)
googlechrome_chrome
linuxfoundationcups-filters>= 0 < 1.28.7-1+deb11u31.28.7-1+deb11u3
linuxfoundationcups-filters>= 0 < 1.28.17-3+deb12u11.28.17-3+deb12u1
linuxfoundationcups-filters>= 0 < 1.28.17-51.28.17-5
linuxfoundationcups-filters>= 0 < 1.28.17-51.28.17-5
linuxfoundationcups-filters>= 0 < 1.27.4-1ubuntu0.41.27.4-1ubuntu0.4
linuxfoundationcups-filters>= 0 < 1.27.4-1ubuntu0.31.27.4-1ubuntu0.3
linuxfoundationcups-filters>= 0 < 1.28.15-0ubuntu1.41.28.15-0ubuntu1.4
linuxfoundationcups-filters>= 0 < 1.28.15-0ubuntu1.31.28.15-0ubuntu1.3
linuxfoundationcups-filters>= 0 < 1.8.3-2ubuntu3.5+esm21.8.3-2ubuntu3.5+esm2
msrcazl3_cups_1.28.17-3_on_azure_linux_3.0

Detection & IOCsextracted from sources · hover to see the quote

ip194.113.74.187
ip195.228.75.121
ip107.170.78.108
ip107.170.72.202
ip172.234.96.249
ip192.34.63.88
ip143.244.47.70
ip104.152.52.220
path/tmp/
processfoomatic-rip
filenamecups_scanner.py
sigma
process where host.os.type == "linux" and event.type == "start" and
event.action == "exec" and process.parent.name == "foomatic-rip" and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
and not process.command_line like ("*/tmp/foomatic-*", "*-sDEVICE=ps2write*")
sigma
process where host.os.type == "linux" and event.type == "start" and
event.action == "exec" and user.name == "lp" and
process.parent.name in ("cupsd", "foomatic-rip", "bash", "dash", "sh",
"tcsh", "csh", "zsh", "ksh", "fish") and process.name in ("bash", "dash",
"sh", "tcsh", "csh", "zsh", "ksh", "fish") and not process.command_line
like ("*/tmp/foomatic-*", "*-sDEVICE=ps2write*")
  • Monitor for foomatic-rip spawning any shell process (bash, dash, sh, tcsh, csh, zsh, ksh, fish) on Linux — this is highly anomalous and a strong indicator of CVE-2024-47176 exploitation chain activity.
  • Alert on any process execution by the `lp` user that spawns a shell; the lp user is the default printing group and is the execution context for CUPS RCE payloads.
  • Detect file writes to /tmp/ by the `lp` user, as PoC exploits commonly write payloads there as a first-stage indicator.
  • Monitor for outbound network connections initiated by child processes of foomatic-rip; legitimate print operations do not establish outbound connections.
  • Watch for unsolicited inbound UDP packets to port 631 from external/untrusted sources — this is the initial attack vector for CVE-2024-47176.
  • Detect CUPS servers generating repeated or looping IPP/HTTP requests to external hosts after receiving a single UDP probe — indicative of DDoS amplification abuse of CVE-2024-47176.
  • Hunt for the FoomaticRIPCommandLine directive appearing in PPD files written to disk — its presence indicates attacker-injected command execution payloads.
  • ·The lp user on many default Linux configurations has access to commands not required for printing (e.g., telnet), broadening post-exploitation capability.
  • ·Interactive reverse shells are not immediately available via this exploit because the lp user has no login shell, but creative techniques can still achieve this.
  • ·Approximately 58,000 out of 198,000+ exposed CUPS servers are estimated to be recruitable for DDoS amplification with a 600x amplification factor via a single UDP packet.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
osv9.8CRITICAL
vulncheck5.3MEDIUM
vendor_debian8.6HIGH
vendor_redhat8.6HIGH
vendor_ubuntu8.6HIGH
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.