this post was submitted on 30 Sep 2024

53 points (96.5% liked)

Linux

47559 readers

446 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

[email protected]

OpenPrinting News Flash - cups-browsed Remote Code Execution vulnerability (openprinting.github.io)

submitted 4 days ago by [email protected] to c/[email protected]

14 comments fedilink hide all child comments

Exploit of a combination of several bugs - Overhyped but not that severe - Fixes already available

...

Canonical’s security team has acted immediately to quickly apply the patches which Michael Sweet (author and maintainer of CUPS) had already prepared for CUPS, cups-browsed, libcups-filters, libppd, and cups-filters (in the time from the first report until then I was some days off and I was also on the Open Source Summit Europe, thanks, Michael Sweet, for stepping in, also thanks to Zdenek Dohnal from Red Hat) to the appropriate in all supported Ubuntu versions, so that at the time of disclosure most fixes were already in place. They also reported in an Ubuntu blog. They tell users what to do, from turning off cups-browsed or at least its legacy CUPS browsing support to updating their systems as the fixes were already available. Thanks a lot to Seth Arnold, Marc Deslauriers, Diogo Sousa, Mark Esler, Luci Stanescu, and more.

...

The X post really overhyped the vulnerability. Attacks from the internet are not very probable due to the fact that servers on the internet do not have cups-browsed and CUPS installed and CUPS/cups-browsed setups are there usually only in NAT-protected local networks with desktop machines and print servers. And the remote code execution is also rather restricted, as CUPS filters are not running as root, but as the system user “lp” which cannot even read user’s home directories. In addition, the remote code execution only happens when a user actually prints a job on the fake printer. Actually assigned scores ended up between 8.4 and 9.1.

top 14 comments

sorted by: hot top controversial new old

[–] [email protected] 9 points 4 days ago (2 children)

Yep. While simple to prepare, this will affect almost nobody, as it requires the user to perform an increasingly rare action in a world that's often going paperless.

Also, the likelihood that a regular user will expose port 631 to the internet is probably close to zero. There's several uncommon pieces that have to be in place for this to work, to the point that it's not a simple matter to execute this exploit.

[–] [email protected] 4 points 4 days ago (2 children)

this will affect almost nobody

Is that really true? From https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

Full disclosure, I’ve been scanning the entire public internet IPv4 ranges several times a day for weeks, sending the UDP packet and logging whatever connected back. And I’ve got back connections from hundreds of thousands of devices, with peaks of 200-300K concurrent devices.

[–] [email protected] 5 points 4 days ago (2 children)

The very next sentence:

Note that everything that is not Linux has been filtered out [in this filtered list of unique IPs]. That is why I was getting increasingly alarmed during the last few weeks.

They said they were getting duplicates and non-*nix hits with that 300k number, which doesn't help them (i.e. the hundreds of thousands of hits was artificially inflated). So yes, the threat is overblown.

Coupled with the fact that patches are already out, and it's easily mitigated by closing 631, and I don't expect this will be much of a problem for most people.

[–] [email protected] 1 points 4 days ago

Wait, which list of filtered IPs are you even talking about? The list in the article is a list of unique kernel versions, not IPs.

[–] [email protected] 1 points 4 days ago (1 children)

I'm not sure why you say it's "artificially" inflated. Non-linux systems are also affected.

[–] [email protected] 3 points 4 days ago (1 children)

How's that? If I'm running a Windows machine, how would a CUPS exploit affect me?

I'm not asking maliciously, but I genuinely don't grasp how that could be a viable attack vector.

[–] [email protected] 2 points 4 days ago

You would be vulnerable on Windows, if you were running CUPS, which you probably are not. But CUPS is not tied to Linux, and is used commonly on e.g. BSDs, and Apple has their own fork for MacOS (have not heard anything about it being vulnerable though).

[–] [email protected] 5 points 4 days ago

My guess is that most hits that scan is gonna catch is old enterprise networks, that has not been updated or maintained by security.

[–] serenissi 1 points 4 days ago (1 children)

ipv6 doesn't give the NAT. A malicious website can mount the attack.

[–] [email protected] 1 points 4 days ago (1 children)

How?

[–] serenissi 2 points 3 days ago* (last edited 3 days ago) (1 children)

Say I host a malicious server with ipv6 only. You visit the site without NAT. I get your ip and ip:631 is open (unless firewall and listen is restricted to prefix). Usual attack afterwards.

Edit: You need to have ipv6, for example many mobile networks.

[–] [email protected] 1 points 3 days ago (1 children)

I have full IPv6, none of my ports that I haven't explicitly whitelisted in the firewall can be accessed from the Internet. I can open a host completely, but it's not default. This is on the most common brand of consumer routers here.

Just because it's not NATted doesn't mean there's no firewall in place.

[–] serenissi 1 points 2 days ago

Yeah ofcourse firewall is the good idea here. I personally have firewall on on every device so that I can manage what can connect and from where.

The point is though often people just disable firewalls (some distros do not install/enable by default too) to workarround certain issues quickly like kdeconnect not connecting, bridge not working and such. That's how I think the whole 'ipv4 NAT is the best (consumer) firewall' concept came popular.

[–] mlg 1 points 3 days ago

I don't know why the guy just assumed every linux and BSD machine runs cups-browsed by default?

It took me literally 5 seconds to check that it's disabled on Fedora by default.

Then he wrote a whole paragraph about how no one should use CUPS for printing because based off of his own analysis, it's some insanely crappy and insecure system.

Which is actually stupid because the only alternative is windows?????????? Which is universally known for printer driver and spooler vulnerabilities.

Then he got mad the the maintainer for patching before his disclosure.....