-
Notifications
You must be signed in to change notification settings - Fork 493
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE) #4106
Merged
+683
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Aegrah
added
OS: Linux
Rule: New
Proposal for new rule
Domain: Endpoint
emerging-threat
Team: TRADE
labels
Sep 27, 2024
Aegrah
requested review from
Mikaayenson,
brokensound77,
w0rk3r,
Samirbous,
shashank-elastic,
terrancedejesus and
eric-forte-elastic
September 27, 2024 09:54
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
Samirbous
approved these changes
Sep 27, 2024
rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml
Show resolved
Hide resolved
Mikaayenson
approved these changes
Sep 27, 2024
eric-forte-elastic
approved these changes
Sep 27, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🚀
terrancedejesus
approved these changes
Sep 27, 2024
protectionsmachine
pushed a commit
that referenced
this pull request
Sep 27, 2024
* [New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE) * Description update * Investigation Guide Update (cherry picked from commit a3e89a7)
protectionsmachine
pushed a commit
that referenced
this pull request
Sep 27, 2024
* [New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE) * Description update * Investigation Guide Update (cherry picked from commit a3e89a7)
protectionsmachine
pushed a commit
that referenced
this pull request
Sep 27, 2024
* [New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE) * Description update * Investigation Guide Update (cherry picked from commit a3e89a7)
protectionsmachine
pushed a commit
that referenced
this pull request
Sep 27, 2024
* [New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE) * Description update * Investigation Guide Update (cherry picked from commit a3e89a7)
protectionsmachine
pushed a commit
that referenced
this pull request
Sep 27, 2024
* [New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE) * Description update * Investigation Guide Update (cherry picked from commit a3e89a7)
protectionsmachine
pushed a commit
that referenced
this pull request
Sep 27, 2024
* [New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE) * Description update * Investigation Guide Update (cherry picked from commit a3e89a7)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
backport: auto
Domain: Endpoint
emerging-threat
OS: Linux
Rule: New
Proposal for new rule
Team: TRADE
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
A set of vulnerabilities in the CUPS printing system (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177) allows remote unauthenticated attackers to achieve remote code execution (RCE) by sending UDP packets to port 631 or through local network-based attacks, such as spoofing mDNS or DNS-SD advertisements. These flaws affect components like cups-browsed, libcupsfilters, libppd, and foomatic-rip, enabling attackers to replace or install malicious printer configurations, which could lead to arbitrary command execution when a print job is started. The detection rules aim to identify suspicious IPP requests and command execution attempts to mitigate the risk of exploitation from these vulnerabilities.
Detections
This PR adds 5 new detection rules, all focusing on different behaviors that are part of the attack chain:
Cupsd or Foomatic-rip Shell Execution
This rule detects shell executions from the foomatic-rip parent process. This detection rule detects all 33 attempts that we ran with the POC.
Printer User (lp) Shell Execution
This rule detects shell executions from the foomatic-rip parent process through the default printer user (lp). This query is broader, but will only work when your Cups/foomatic-rip processes run as the lp-user. You can alter this query to a different user.name if this is different in your environment.
Network Connection by Cups Foomatic-rip Child
This rule detects network connections initiated by a child processes of foomatic-rip. This should be suspicious. If these services do communicate in your environment, make sure to whitelist destination IP's.
File Creation by Cups Foomatic-rip Child
This rule detects suspicious file creation events executed by child processes of foomatic-rip. The default PoCs test by writing a file to /tmp/, which would be detected through this rule. Additionally, if the attacker were to download a stage and execute it manually afterwards, this rule would detect the file creation event.
This rule excludes
/tmp/gs_*
, because this is the default pattern. If you want to be more secure, remove the white listing. It will become noisier though.Suspicious Execution from Foomatic-rip or Cupsd Parent
This rule detects suspicious process command lines executed by child processes of foomatic-rip and cupsd. The command lines focus on persistence, file downloading, encoding/decoding activity, reverse shells, shared-object loading through GTFOBins and more.
References