this post was submitted on 27 Sep 2024
37 points (100.0% liked)

Linux

4996 readers
91 users here now

A community for everything relating to the linux operating system

Also check out !linux_memes@programming.dev

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 1 year ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
37
Critical Unauthenticated RCE Flaws in CUPS Printing Systems (blog.qualys.com)
submitted 1 day ago by Toes@ani.social to c/linux@programming.dev
8 comments fedilink hide all child comments
 

cross-posted from: https://ani.social/post/6217644

top 8 comments
sorted by: hot top controversial new old
[–] mox@lemmy.sdf.org 2 points 1 day ago* (last edited 1 day ago)

Either of these commands will reveal processes listening on the port that's vulnerable by default:

$ sudo lsof -i :631

$ sudo fuser -v 631/tcp 631/udp

The wording of this post gives me the impression that it could exploited even if you don't have any such processes, if your system contacts a malicious or compromised print server. I would avoid browsing or using printers on unsafe networks until this is patched.

The port 631 process just makes it worse, by allowing someone else to initiate that contact remotely.

[–] runeko@programming.dev 3 points 1 day ago (3 children)

So CUPS has to be installed and port 631 exposed for this to be an issue?

[–] mox@lemmy.sdf.org 1 points 1 day ago

Based on this...

Exploitation involves sending a malicious UDP packet to port 631 on the target, directing it to an attacker-controlled IPP server. The system’s cups-browsed service then connects back, fetching printer attributes, which include malicious PPD directives. When a print job starts, these directives execute, allowing the attacker’s code to run on the target system.

...it seems the exploit can be triggered either remotely through your CUPS instance listening on port 631, or locally by interacting with a malicious/compromised print server.

So if I understand correctly, shutting down that port wouldn't be enough by itself. You would also have to keep your system from initiating contact with such a server, such as by using a public printer, or conceivably even just browsing printers at a cafe/business/school. I haven't read the exploit details, so I don't know which interactions are safe, if any.

[–] lemmyng@lemmy.ca 3 points 1 day ago (1 children)

CUPS is installed on the majority of desktop systems. One of the listed CVEs indicates that port 631 is by default open to the local network, so if you connect to any shared network (public WiFi, work/school network, even your home network if another compromised device gets connected to it) you're exposed. Or a browser flaw or other vulnerability could be exploited to forward a packet to that port.

In other words: While access to port 631 is required first, the severity of the vulnerability lies in how damn easy it is to take over a system after that. And the system can be re-compromised any time you print something, making this a persistent vector.

[–] runeko@programming.dev 2 points 1 day ago

Gotcha CUPS installed by default + no firewall by default = really not great.

[–] curbstickle@lemmy.dbzer0.com 0 points 1 day ago (1 children)

Yes.

Its nowhere near the risk that was claimed.

[–] Toes@ani.social 4 points 1 day ago (1 children)

Basically an unauthenticated perl interpreter with root open to the network by default in most configurations across a couple decades.

It's about as bad as it can be?

[–] curbstickle@lemmy.dbzer0.com 4 points 1 day ago

Compared to the original claim that it was kernel level and spread across literally everything?

No, no its not as bad as it was originally claimed.

Is it bad? Yes. Is it kernel level bad? No. It can easily be mitigated before a fix is out by blocking 631 and dns-sd traffic. It is not as bad as it was claimed to be.