An automated scanner has been launched to assist security professionals in detecting devices susceptible to the Common Unix Printing System (CUPS) remote code execution (RCE) vulnerability, tracked as CVE-2024-47176. This flaw allows attackers to execute arbitrary code remotely if specific conditions are met and was disclosed late last month by the discoverer, Simone Margaritelli.
While the RCE aspect of this vulnerability appears limited in real-world scenarios due to certain exploitation prerequisites, Akamai has demonstrated that CVE-2024-47176 could facilitate a 600x amplification in distributed denial-of-service (DDoS) attacks.
The scanner was developed by cybersecurity researcher Marcus Hutchins, also known as "MalwareTech," to help system administrators quickly scan their networks for devices running vulnerable CUPS-Browsed services. According to Hutchins, the vulnerability exists because cups-browsed binds its control port (UDP port 631) to INADDR_ANY, exposing it to the internet. Since requests to this port are unauthenticated, any entity able to reach it can command cups-browsed to discover printers.
Even if the port is blocked from internet access due to firewalls or NAT, it may still be reachable within local networks, enabling potential privilege escalation and lateral movement. Hutchins emphasized, "For this reason, I've created this scanner designed to scan your local network for vulnerable cup-browsed instances."
The Python script (cups_scanner.py) establishes an HTTP server on the scanning machine, listening for incoming HTTP requests (callbacks) from network devices. The vulnerability arises from CUPS-browsed (a daemon within CUPS) binding its control port (UDP port 631) to INADDR_ANY, making it accessible to the network and allowing any system to send commands to it.
The scanner transmits a custom UDP packet to the network's broadcast address on port 631, targeting each IP address within a specified range, prompting CUPS instances to send a response back. If a device with a vulnerable cups-browsed instance receives the UDP packet, it processes the request and sends an HTTP callback to the server. Only the devices that respond are marked as vulnerable.
The scanner logs results in two files: cups.log, which includes the IP addresses and CUPS versions of the responding devices, and requests.log, which contains the raw HTTP requests received by the callback server for further analysis.
By utilizing this scanner, system administrators can strategize and implement targeted patching or reconfiguration actions to reduce the online exposure of CVE-2024-47176.
BleepingComputer has not evaluated the script and cannot guarantee its effectiveness or safety, so users should proceed with caution.