SOC329 — CUPS RCE Detection via IPP Injection (CVE-2024–47177)
1 min read
Summary
A recent LetsDefend alert has led to a investigation of a potential security threat known as CUPS RCE Detection via IPP Injection (CVE-2024–47177).
CUPS is an open-source printing system widely used across UNIX-like operating systems.
The cups-filters package, which is used in CUPS 2.x on non-Mac OS systems, contains a critical flaw in its handling of the FoomaticRIPCommandLine which can be abused to execute arbitrary commands.
The LetsDefend alert provided some indicators of compromise (IOCs) to analyse, including the destination and source IP addresses and a suspicious URL.
Based on the information provided, attackers exploit CVE-2024-47177 by injecting malicious commands within the Printer Job Submission packet, thereby inducing the printing system to execute unintended commands on the host system. It is believed that this vulnerability stemmed from a logic bug related to conical filtering within the CUPS system.