A blog post dropped: https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems...
This is entertaining reading. Although I don't know how pervasive this issue is, from the chunk i have read so far I can see why he was concerned that it was relatively trivial to have a target system accept anything identifying itself as a printer and being able to inject malicious code into the machine.
I was going to make fun of him wasting his sabbatical on hacking a printer service but I gotta admit I'd have fallen down the same rabbit hole if I stumbled on it. It's a cool hack.
> Full disclosure happening at 20:00 UTC today, in a bit more than 2 hours.
> Also, to temper some concern about @evilsocket recent research... His bugs are in a thing that none of you should have installed so when it's published, please just uninstall that junk. Hopefully the response of the developer shows how badly you need to remove it.
Almost certainly CUPS related.
From an eating-popcorn perspective, I would find it truly entertaining that a printer package could somehow result in a 9.9 security vulnerability that is somehow worse than heartbleed. How many linux systems actually have cups installed and active?
My desktop did. It wasn't publicly exposed though. Past tense - I just purged it.
I doubt many exposed servers have CUPS.
Edit: The article says he did an internet scan showing hundreds of thousands of vulnerable machines.
It's been obvious that it's CUPS as it was reported to affect linux, bsd, macos, etc.. The guy even forked the repo on github a couple weeks ago..
very lukewarm and over hyped imo.. it's a bit sad that the person spent weeks of their vacation on this..
Original source seems to be https://archive.is/wwoQZ
Devs need to include security pervasively (like they have ops for deployments).
* Canonical, RedHat and others have confirmed the severity, a 9.9, check screenshot.
* Devs are still arguing about whether or not some of the issues have a security impact.
With a confirmed 9.9 there's no need to argue, get the top priorities done, work on others on the possibility they need to be released as well. The act of working in them will usually give a clear answer if it could have security impact. Don't have armchair debates. You can't find loopholes if your mindset is that there are none.
> A 9.9 CVE has been announced for Linux Remote code execution. No details yet. Heartbleed was 7.5, for reference. This is one of the worst in history. All GNU/Linux systems impacted.
What about non-GNU Linux? Is kernel or userland impacted?
OP mentioned later in the thread that MacOS is supposedly impacted as well, so if its some underlying system I'd imagine de-GNU'd Linux is affected also.
Sounds like it's CUPS?
I wonder if it is genuine or theoretical like specter and meltdown.
> Wonder how bad this is.
One of the worst in history!
Someone supposedly have reviewed the report and scores it 6.3, they say 9.9 is overblown to bring attention to fix the issue promptly https://slashdot.org/comments.pl?sid=23466721&cid=64817845
"You're probably not vulnerable to the CUPS CVE" https://xeiaso.net/notes/2024/cups-cve/
still being discussed as of right now. might be a thing, but may also be hype.
if it is indeed a thing then keeping it close to the chest is wise until RH, Canonical, etc. can start releasing patches.
Announced… where? The tweet has no link and no context.
The post is by the guy that discovered and reported the vulnerability.
https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840e...
Original report
Affected Vendor:
- OpenPrinting
- Several components of the CUPS printing system: cups-browsed, libppd, libcupsfilters and cups-filters.
- All versions <= 2.0.1 (latest release) and master.
- no
- Simone Margaritelli [evilsocket@gmail.com]
- yes The vendor has been notified trough Github Advisories and all bugs have been confirmed:
- https://github.com/OpenPrinting/libcupsfilters/security/advi...
- https://github.com/OpenPrinting/libppd/security/advisories/G...
- https://github.com/OpenPrinting/cups-filters/security/adviso...
I'm also in contact with the Canonical security team about these issues.
Description
- The vulnerability affects many GNU/Linux distributions:
Google ChromeOS:
https://chromium.googlesource.com/chromiumos/overlays/chromi...
Most BSDs:
https://man.freebsd.org/cgi/man.cgi?query=cups-browsed.conf&...
And possibly more.
<snip>
How does an attacker exploit this vulnerability?
- An attacker can exploit this vulnerability if it can connect to the host via UDP port 631, which is by default bound to INADDR_ANY, in which case the attack can be entirely remote, or if it's on the same network of the target, by using mDNS advertisements.
- Remote execution of arbitrary commands when a print job is sent to the system printer.
- A lot of curiosity (when I noticed the \*:631 UDP bind I was like "wtf is this?!" and went down a rabbit hole ...) and good old source code auditing.
- No, the bugs are not known and the FoomaticRIPCommandLine vulnerability is known to be already patched (it isn't).
- Not to the best of my knowledge.[dead]