From 7dc705156b46cb2f898b1dc672b9508d4d0f2c09 Mon Sep 17 00:00:00 2001
From: Djalal Harouni <tixxdz@gmail.com>
Date: Thu, 3 Oct 2024 19:16:30 +0100
Subject: [PATCH] CVE: detect and mitigate cups foomatic-rip CVE-2024-47176
 2024-47177

https://www.cve.org/CVERecord?id=CVE-2024-47177
https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

In Summary there are four vulnerabilities:

"CUPS is a standards-based, open-source printing system, and `cups-browsed` contains
network printing functionality including, but not limited to, auto-discovering print
services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it
to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP
request to an attacker controlled URL. When combined with other vulnerabilities,
such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute
arbitrary commands remotely on the target machine without authentication when a
malicious printer is printed to."

The commands are executed through foomatic-rip binary, to detect such
executions run the following filter on tetragon JSON events:

  jq 'select(.process_exec != null) | \
     select(.process_exec.parent.binary | contains("foomatic-rip"))' \
     /var/log/tetragon/tetragon.log

This policy can detect and block foomatic-rip binary from executing
commands, however according to CUPS developers:
"...we can certainly recommend that people not use Foomatic, but there are likely
 hundreds of older printer models (before 2010) that are only supported through
 Foomatic."

Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
---
 .../cve-cups-CVE-2024-47176-2024-47177.yaml   | 96 +++++++++++++++++++
 1 file changed, 96 insertions(+)
 create mode 100644 examples/tracingpolicy/cves/cve-cups-CVE-2024-47176-2024-47177.yaml

diff --git a/examples/tracingpolicy/cves/cve-cups-CVE-2024-47176-2024-47177.yaml b/examples/tracingpolicy/cves/cve-cups-CVE-2024-47176-2024-47177.yaml
new file mode 100644
index 00000000000..1f539c81064
--- /dev/null
+++ b/examples/tracingpolicy/cves/cve-cups-CVE-2024-47176-2024-47177.yaml
@@ -0,0 +1,96 @@
+# https://www.cve.org/CVERecord?id=CVE-2024-47177
+# https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
+# https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
+#
+# In Summary there are four vulnerabilities:
+#
+# "CUPS is a standards-based, open-source printing system, and `cups-browsed` contains
+#  network printing functionality including, but not limited to, auto-discovering print
+#  services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it
+#  to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP
+#  request to an attacker controlled URL. When combined with other vulnerabilities,
+#  such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute
+#  arbitrary commands remotely on the target machine without authentication when a
+#  malicious printer is printed to."
+#
+# The final CVE-2024-47177 is with a score CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (9.0 Critical)
+#
+# Detection:
+#
+# - Running default Tetragon with enable process credentials for user IDs details:
+#   https://tetragon.io/docs/installation/configuration/#enable-process-credentials
+#
+#   Query Tetragon JSON logs assuming they are in "/var/log/tetragon/tetragon.log":
+#
+#   jq 'select(.process_exec != null) | select(.process_exec.parent.binary | contains("foomatic-rip"))' \
+#         /var/log/tetragon/tetragon.log
+#
+#   Example output:
+#     {
+#       "process_exec": {
+#         "process": {
+#         "exec_id": "cm9yb25vYToyOTk4MDQ1MzgwOTcxNjoxMTI4OTA=",
+#         "pid": 112890,
+#         "uid": 7,
+#         "cwd": "/",
+#         "binary": "/bin/sh",
+#         "arguments": "-e -c \"touch /tmp/cups_exploit #\"",
+#         "process_credentials": {
+#           "uid": 7,
+#           "gid": 7,
+#           "euid": 7,
+#           "egid": 7,
+#         }
+#       },
+#       "parent": {
+#         "exec_id": "cm9yb25vYToyOTk4MDQ1MjMzNDEzOToxMTI4ODg=",
+#         "pid": 112888,
+#         "uid": 7,
+#         "cwd": "/",
+#         "binary": "/usr/lib/cups/filter/foomatic-rip"
+#         ...
+#
+#
+# Metigation:
+#
+#  * Disable BrowerRemoteProtocol in /etc/cups/cups-browsed.conf
+#    https://ubuntu.com/blog/cups-remote-code-execution-vulnerability-fix-available
+#
+#  * Update this Tracing Policy to kill execution of commands by foomatic-rip binary, however
+#    foomatic-rip is part of Foomatic, a comprehensive database of printers, printer drivers,
+#    and driver descriptions. It is a universal print filter which is used as a CUPS filter
+#    to translate PostScript and PDF from standard input or a file to the printer's native
+#    language. The translation is done with an external renderer, usually Ghostscript gs
+#    tool.
+#
+#    According to the CUPS developers:
+#    "...we can certainly recommend that people not use Foomatic, but there are likely hundreds
+#     of older printer models (before 2010) that are only supported through Foomatic."
+#
+
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "cve-cups-2024-47176-2024-47177"
+  annotations:
+    url: "https://www.cve.org/CVERecord?id=CVE-2024-47177"
+    description: "Detects and Prevents exploitation of cups CVE-2024-47177"
+    author: "Tetragon.io Team"
+spec:
+  kprobes:
+  - call: "security_bprm_check"
+    syscall: false
+    args:
+    - index: 0
+      type: "linux_binprm"
+    message: "Foomatic-rip print filter/RIP wrapper executing a command"
+    tags: [ "cve.2024-47176", "cve.2024-47177", "severity.critical" ]
+    selectors:
+    - matchBinaries:
+      - operator: "In"
+        values:
+        # Add your foomatic-rip paths here
+        - "/usr/lib/cups/filter/foomatic-rip"
+        - "/lib/cups/filter/foomatic-rip"
+      #matchActions:  # Uncomment this to kill all execution from foomatic-rip
+      #- action: Sigkill