Views: 2044

Systems that are potentially vulnerable must have all the following conditions:

  • The cups-browsed package (version 2.0.1 or lower) must be installed
  • The cups-browsed service is started/enabled and listening on UDP port 631
  • The server must be accessible to the attacker (either publicly facing internet or attacker has network access)

To exploit these chain of vulnerabilities, an attacker must trick a user into printing from a malicious printer server that has been created by the attacker.

 

Trend Micro Protection & Detection Against Exploitation

First and foremost, it is always recommended that users apply vendor-specific patches when they are available. As of the moment, official patches have not yet been released for all Linux variants - but systems that do not require printing capabilities can mitigate by either removing the cups-browsed package or stopping and disabling the cups-browsed service.  

Trend Vision One™ 

Trend Micro has added Time-Critical Vulnerability alert in the Trend Vision One Executive Dashboard that will be continually updated with additional information related to prevention and detection as it becomes available.

In addition to the vendor patch(s) that should be applied, Trend Micro has released some detection rules and filters that may help provide additional protection and detection of malicious components associated with this vulnerability. Since a successful attack requires a chain of all of the related vulnerabilities, mitigating against parts of the chain can protect against the entire attack:

Trend Vision One - Endpoint Security, Deep Security & Vulnerability Protection IPS Rules

  • 1012160 - CUPS Remote Code Execution Vulnerability (CVE-2024-47076)

Trend Cloud One - Network Security & TippingPoint Digital Vaccine (DV) Filters

  • 44867 - IPP: CUPS Code Execution Vulnerability

 

Trend Micro Products/Services Potentially Affected


Below is the confirmed list of Trend Micro products that have been reviewed for potential impact.  Products not listed may still be under investigation, and any additional information will be added here as necessary.
 

 
Several 3rd party vulnerability scanners may flag some of the following products as "affected" by this vulnerability. It is important to note that many, if not all, of these vulnerability scanners only search for library or component versions and DO NOT or CANNOT take into consideration the actual configuration, context and/or scenarios that make a certain component "vulnerable" to a particular exploit.

In our analysis, Trend Micro takes into account the entire scenario necessary to exploit a particular vulnerability in making a determination of whether or not a particular product may be vulnerable to a specific vulnerability.  In this case, any flagging by a 3rd party vulnerability scanner on one of the mentioned products that are marked "Not Affected" should be treated as a False Positive.
 

 

Trend Micro Product/Service Status

InterScan Messaging Security Virtual Appliance 

(IMSVA) 

Not Affected

(Does not use impacted component) 
Keywords: CVE-2024-47076 CVE-2024-47175 CVE-2024-47176 CVE-2024-47177