CRITICAL: Vulnerable CUPS Special Report

DESCRIPTION LAST UPDATED: 2024-10-03

DEFAULT SEVERITY LEVEL: CRITICAL

This one-time Special Report contains information about CUPS instances accessible on port 631/UDP and vulnerable to CVE-2024-47176 as well as possibly vulnerable to RCE by chaining the vulnerability with CVE-2024-47076, CVE-2024-47175 and CVE-2024-47177.

For more details on these vulnerabilities please read Attacking-UNIX-systems-via-CUPS-Part-I.

Exposed CUPS services can also be potentially leveraged in DDoS amplification attacks – see When CUPS Runneth Over: The Threat of DDoS.

This scan was not conducted by Shadowserver.

Information contained in the report is obtained from an external source – thank you! 

IPs in this report are tagged cups;cve-2024-47176.

All events dated 2024-09-27 00:00:00 and shared on 2024-10-02.

Mitigation

Please take action if you receive an alert from us about a vulnerable host on your network:

  • Do not expose port 631/UDP (and 631/TCP) to the Internet. Use ACLs (Access Control Lists) on the Internet edge to protect all devices who might unknowingly expose port 631 UDP/TCP.
  • Deploy host filtering on the devices inside your network to manage who can access port 631.
  • Update your installation to a patched version as soon as possible. Please consult your vendor (Linux distribution) for patches.
  • If you do not use CUPS, consider removing it from your system entirely.

See the following advisories for more vulnerability details:

https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47
https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5
https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6

Dashboard

You can view the Dashboard results by selecting source special on 2024-10-02. For example you can view the World Map for vulnerable instances at https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2024-10-02&source=special&geo=all&data_set=count&scale=log

About Special Reports

Shadowserver Special Reports are unlike all of our other standard free daily network reports.

Instead, we send out Special Reports in situations where we  share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit, such as in cases where we have a critical new vulnerability being exploited against potentially high value targets.

Note that the data shared across special reports may differ on a case by case basis hence the report formats for different Special Reports may be different.

Filename: 2024-10-02-special

 

 

Fields

  • timestamp
    Timestamp when the IP address was seen, in UTC+0. This is set to 2024-10-02 00:00:00 to reflect the date the data was shared, but note that actual scan dates are 2024-09-27 as in the first_seen_time fields
  • ip
    IP address of the affected device
  • port
    Port queried (631)
  • protocol
    Protocol (UDP)
  • asn
    Autonomous System Number of the affected device
  • geo
    Country of the affected device
  • region
    Region of the affected device
  • city
    City of the affected device
  • hostname
    Hostname of the affected device (may be from reverse DNS)
  • naics
    North American Industry Classification System Code
  • sector
    Sector of the IP in question
  • tag
    Tag set to cups;cve-2024-47176
  • public_source
    Source of the data (not attributed)
  • status
    Unused
  • detail
    Unused
  • account
    Unused
  • method
    Unused
  • severity
    Severity level
  • hostname_source
    Source of the hostname
  • first_seen_time
    Time IP was first seen (set to 2024-09-27 00:00:00)
  • last_seen_time
    Time IP was last seen (set to 2024-09-27 00:00:00)
  • potential_exposure_time
    Unused

Sample

timestamp,ip,port,protocol,asn,geo,region,city,hostname,naics,sector,tag,infection,public_source,status,detail,account,method,severity,hostname_source,first_seen_time,last_seen_time,potential_exposure_time
"2024-10-02 00:00:00",1.0.94.240,631,udp,18144,JP,TOTTORI,YONAGO,240.94.0.1.megaegg.ne.jp,334290,Manufacturing,cups;cve-2024-47176,cups,,,,,,critical,ptr,"2024-09-27 00:00:00","2024-09-27 00:00:00",
"2024-10-02 00:00:00",1.1.104.178,631,udp,2519,JP,TOKYO,SHINJUKU,,518210,"Real Estate and Rental and Leasing",cups;cve-2024-47176,cups,,,,,,critical,,"2024-09-27 00:00:00","2024-09-27 00:00:00",
"2024-10-02 00:00:00",1.1.104.240,631,udp,2519,JP,TOKYO,SHINJUKU,,518210,"Real Estate and Rental and Leasing",cups;cve-2024-47176,cups,,,,,,critical,,"2024-09-27 00:00:00","2024-09-27 00:00:00",
"2024-10-02 00:00:00",1.1.106.168,631,udp,2519,JP,TOKYO,SHINJUKU,,518210,"Real Estate and Rental and Leasing",cups;cve-2024-47176,cups,,,,,,critical,,"2024-09-27 00:00:00","2024-09-27 00:00:00",
"2024-10-02 00:00:00",1.1.108.197,631,udp,2519,JP,TOKYO,SHINJUKU,,518210,"Real Estate and Rental and Leasing",cups;cve-2024-47176,cups,,,,,,critical,,"2024-09-27 00:00:00","2024-09-27 00:00:00",
"2024-10-02 00:00:00",1.1.112.25,631,udp,2519,JP,TOKYO,SHINJUKU,,518210,"Real Estate and Rental and Leasing",cups;cve-2024-47176,cups,,,,,,critical,,"2024-09-27 00:00:00","2024-09-27 00:00:00",
"2024-10-02 00:00:00",1.1.220.150,631,udp,23969,TH,"KRUNG THEP MAHA NAKHON BANGKOK",BANGKOK,node-iae.pool-1-1.dynamic.totinternet.net,517111,"National Security",cups;cve-2024-47176,cups,,,,,,critical,ptr,"2024-09-27 00:00:00","2024-09-27 00:00:00",
"2024-10-02 00:00:00",1.11.138.121,631,udp,17839,KR,SEOUL-TEUKBYEOLSI,SEOUL,,517111,Information,cups;cve-2024-47176,cups,,,,,,critical,,"2024-09-27 00:00:00","2024-09-27 00:00:00",
"2024-10-02 00:00:00",1.116.109.239,631,udp,45090,CN,"BEIJING SHI",BEIJING,,518210,"Data Processing, Hosting, and Related Services",cups;cve-2024-47176,cups,,,,,,critical,,"2024-09-27 00:00:00","2024-09-27 00:00:00",

Our 130 Report Types

« Back to Network Reporting