I had a moment of actual laughter.
I was expecting a kernel issue handling networking connections or SSH or who the fuck knows but... cups?
Printers, they ruin everything.
this post was submitted on 26 Sep 2024
81 points (100.0% liked)
Linux
1259 readers
62 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
Loads of complex code exposed to an assumed trusted network is the model of printers. They’re going to be full of security issues.
This stuff should be sandboxed and then never, ever exposed to the Internet.
I'm always befuddled how these things end up public on the internet. (I'm not really.)
Like, it's not like the printer is the one poking holes in your firewall while you sleep.*
*If it is, then you should feel great shame, throw away anything more complicated than a pair of dull scissors, and get a job digging holes then filling them back in.
the reporter is a real asshat, judging by their twitter.
first:
then, later:
Yep. Also claimed "it affects all GNU/Linux" while it only really does CUPS and so on.
Just alone full disclosure is a shit thing to do. Do not even mention the part where it was intended as a responsible disclosure.
Ya I was worried this was going to affect something like OpenWRT and a lot of shit was about to get fucked over. CUPS? 99.9% of people are gonna have that port closed on their router. Sure this is important to fix but a 9.9? Nah
Remember when printers were connected by a USB cable?
Also, sudo ss -tunlp to see what ports are listening on your system and which applications/services use them. (Linux)
ss -K closes dead ports
If you didn't explicitly open a port, ask why it needs to be open (listening). (25, 22, 67, 53,5353)
Make sure what you did open is opened at the right addresses. Ie localhost, 0.0.0.0, 127.0.0.1, etc for the purpose.
Use a firewall and block ALL incoming traffic.
The Firewall will not help you in this case
Looks like a number of patches are landing in Ubuntu to address this: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/2082335
Update: CUPS Remote Code Execution Vulnerability Fix Available
So if Cups is properly sandboxes this is less of an issue? Still not good but not show stopping
I don't think this is 9.9 worthly
Update:
You can use this to get a shell as the lp service user
Good news, it's not a 9.9. https://www.redhat.com/en/blog/red-hat-response-openprinting-cups-vulnerabilities
It is still 9.9
Not according to RedHat, who I trust a hell of a lot more than a Phoronix article that cites a blog post.
CVE-2024-47176 cups-browsed (7.5)
CVE-2024-47076 cups-filter libcupsfilters (8.2)
CVE-2024-47175 libppd cups cups-filter (7.7)
CVE-2024-47177 cups-filters foomatic (6.1)
Cups-browsed-eez nutz!
You have to make yourself so vulnerable to be affected
This is a big nothingburger because it doesn't have a cute name, a marketing campaign, or a silly logo. /s
Hmm, never had cups-browsed enabled as I do not need network printing with LDAP or legacy cups. Discovery using DNS-SD/mDNS and driverless printing work perfectly fine without it.
I am not sure if the driverless discovery ever can generate a PPD with arbitrary commands.