cups_browsed_external

Explanation

This event is triggered by Netography's Fusion Portal when it detects traffic on UDP port 631 entering your network. This traffic indicates that there are very likely one or more CUPS printer servers exposed to the Internet. Inbound traffic on UDP/631 is associated with CVE-2024-47176 which is part of a longer exploit chain that could lead to Remote Code Execution (RCE) by an attacker.

The event does not necessarily mean that your CUPS servers have been exploited, or are even vulnerable, but you should strongly consider blocking inbound UDP port 631 at the firewall.

What to Look For
The exploit chain starting with CVE-2024-47176 works by forcing your CUPS server to request printer details from an attacker controlled Internet Printing Protocol (IPP) server, and then creating a malicious PostScript Printer Description (PPD) file on the victim machine; RCE is not achieved until that PPD file is used to print a document.

Once outside access on UDP/631 is restricted, you should start by checking the victim server for unfamiliar printers and reviewing outbound connections closely after this event.

Related MITRE ATT&CK Categories

External Remote Services, Technique T1572 - Enterprise

Exploit Public-Facing Application, Technique T1572 - Enterprise