CVE-2024-47850
📋 TL;DR
CVE-2024-47850 is a vulnerability in CUPS cups-browsed that allows attackers to trigger HTTP POST requests to arbitrary destinations via a single IPP UDP packet. This can be exploited for DDoS amplification attacks by reflecting and amplifying traffic. Systems running vulnerable versions of cups-browsed with network exposure are affected.
💻 Affected Systems
- CUPS cups-browsed
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Large-scale DDoS amplification attacks using vulnerable systems as reflectors, potentially causing service disruption for targeted victims and consuming network bandwidth/resources on vulnerable hosts.
Likely Case
Exploitation in DDoS botnets to amplify attack traffic against third-party targets, potentially causing network congestion and service degradation.
If Mitigated
Limited impact if systems are patched, firewalled, or cups-browsed is disabled; attackers cannot leverage vulnerable systems for amplification.
🎯 Exploit Status
Exploitation requires sending a single IPP UDP packet to trigger HTTP POST requests, making it simple for attackers to weaponize in DDoS campaigns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5b1 and later
Vendor Advisory: https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-rq86-c7g6-r2h8
Restart Required: Yes
Instructions:
1. Update cups-filters package to version 2.5b1 or later from your distribution's repository. 2. Restart cups-browsed service: 'systemctl restart cups-browsed' or equivalent.
🔧 Temporary Workarounds
Disable cups-browsed service
linuxStop and disable the cups-browsed service if not needed for printer discovery.
systemctl stop cups-browsed
systemctl disable cups-browsed
Block UDP port 631 at firewall
linuxPrevent external access to CUPS IPP service to block exploitation attempts.
iptables -A INPUT -p udp --dport 631 -j DROP
ufw deny 631/udp
🧯 If You Can't Patch
- Implement network segmentation to isolate systems with cups-browsed from untrusted networks.
- Deploy rate-limiting or DDoS protection on network perimeter to mitigate amplification traffic.
🔍 How to Verify
Check if Vulnerable:
Check cups-browsed version: 'cups-browsed --version' or 'dpkg -l | grep cups-browsed' on Debian/Ubuntu, 'rpm -q cups-filters' on RHEL/Fedora.Check Version:
cups-browsed --version 2>&1 | head -1Verify Fix Applied:
Confirm version is 2.5b1 or later and cups-browsed service is running with updated package.📡 Detection & Monitoring
Log Indicators:
- Unexpected HTTP POST requests from cups-browsed to external IPs in system logs
- High UDP traffic on port 631
Network Indicators:
- Spike in outbound HTTP traffic from cups-browsed hosts
- UDP packets to port 631 from unknown sources
SIEM Query:
source="cups-browsed" AND (http_method="POST" OR dest_ip!=local_subnet)🔗 References
- https://github.com/OpenPrinting/cups
- https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-rq86-c7g6-r2h8
- https://www.akamai.com/blog/security-research/october-cups-ddos-threat
- http://www.openwall.com/lists/oss-security/2024/10/04/1
- https://security.netapp.com/advisory/ntap-20241011-0002/
