-10.4 C
New York
Monday, December 23, 2024

New scanner finds Linux, UNIX servers uncovered to CUPS RCE assaults


New scanner finds Linux, UNIX servers uncovered to CUPS RCE assaults

An automatic scanner has been launched to assist safety professionals scan environments for gadgets susceptible to the Widespread Unix Printing System (CUPS) RCE flaw tracked as CVE-2024-47176.

The flaw, which permits attackers to carry out arbitrary distant code execution if sure circumstances are met, was disclosed late final month by the one who found it, Simone Margaritelli.

Though its RCE side seems restricted in real-world deployments as a result of conditions for exploitation, Akamai later confirmed that CVE-2024-47176 additionally opened the chance for 600x amplification in distributed denial of service (DDoS) assaults.

The scanner was created by cybersecurity researcher Marcus Hitchins (aka “MalwareTech”), who created the scanner to assist system directors scan their networks and shortly establish gadgets operating susceptible CUPS-Browsed providers.

“The vulnerability arises from the truth that cups-browsed binds its management port (UDP port 631) to INADDR_ANY, exposing it to the world. Since requests are usually not authenticated, anybody able to reaching the management port can instruct cups-browsed to carry out printer found.”

“In instances when the port isn’t reachable from the web (attributable to firewalls or NAT), it could nonetheless be reachable by way of the native community, enabling privilege escalation and lateral motion.”

“Because of this, I’ve created this scanner designed to scan your native community for susceptible cups-browsed cases.” – Marcus Hitchins

How the scanner works

The Python script (cups_scanner.py) units up an HTTP server on the scanning machine that listens for incoming HTTP requests (callbacks) from gadgets on the community.

CVE-2024-47176 arises from CUPS-browsed (a daemon a part of CUPS) binding its management port (UDP port 631) to INADDR_ANY, exposing the port to the community and permitting any system to ship instructions to it.

The scanner sends a customized UDP packet to the community’s broadcast handle on port 631, despatched to every IP handle within the specified vary, telling CUPS cases to ship a request again.

If a tool operating a susceptible cups-browsed occasion receives the UDP packet, it can interpret the request and ship an HTTP callback to the server, so solely people who reply are marked as susceptible.

Example scan and results
Instance scan and outcomes
Supply: GitHub

The outcomes are written in two logs: one (cups.log) containing the IP addresses and CUPS model of the gadgets that responded and one (requests.log) containing the uncooked HTTP requests acquired by the callback server that can be utilized for deeper evaluation.

Through the use of this scanner, system directors can plan and execute focused patching or reconfiguration motion, minimizing the publicity of CVE-2024-47176 on-line.

BleepingComputer has not examined the script and can’t guarantee its effectiveness or security, so you need to use it at your individual threat.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles