Exploit of a combination of several bugs - Overhyped but not that severe - Fixes already available

Canonical’s security team has acted immediately to quickly apply the patches which Michael Sweet (author and maintainer of CUPS) had already prepared for CUPS, cups-browsed, libcups-filters, libppd, and cups-filters (in the time from the first report until then I was some days off and I was also on the Open Source Summit Europe, thanks, Michael Sweet, for stepping in, also thanks to Zdenek Dohnal from Red Hat) to the appropriate in all supported Ubuntu versions, so that at the time of disclosure most fixes were already in place. They also reported in an Ubuntu blog. They tell users what to do, from turning off cups-browsed or at least its legacy CUPS browsing support to updating their systems as the fixes were already available. Thanks a lot to Seth Arnold, Marc Deslauriers, Diogo Sousa, Mark Esler, Luci Stanescu, and more.

The X post really overhyped the vulnerability. Attacks from the internet are not very probable due to the fact that servers on the internet do not have cups-browsed and CUPS installed and CUPS/cups-browsed setups are there usually only in NAT-protected local networks with desktop machines and print servers. And the remote code execution is also rather restricted, as CUPS filters are not running as root, but as the system user “lp” which cannot even read user’s home directories. In addition, the remote code execution only happens when a user actually prints a job on the fake printer. Actually assigned scores ended up between 8.4 and 9.1.

  • sweng
    link
    fedilink
    arrow-up
    7
    arrow-down
    1
    ·
    2 months ago

    this will affect almost nobody

    Is that really true? From https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

    Full disclosure, I’ve been scanning the entire public internet IPv4 ranges several times a day for weeks, sending the UDP packet and logging whatever connected back. And I’ve got back connections from hundreds of thousands of devices, with peaks of 200-300K concurrent devices.

    • Telorand@reddthat.com
      link
      fedilink
      arrow-up
      5
      ·
      2 months ago

      The very next sentence:

      Note that everything that is not Linux has been filtered out [in this filtered list of unique IPs]. That is why I was getting increasingly alarmed during the last few weeks.

      They said they were getting duplicates and non-*nix hits with that 300k number, which doesn’t help them (i.e. the hundreds of thousands of hits was artificially inflated). So yes, the threat is overblown.

      Coupled with the fact that patches are already out, and it’s easily mitigated by closing 631, and I don’t expect this will be much of a problem for most people.

      • sweng
        link
        fedilink
        arrow-up
        2
        ·
        2 months ago

        I’m not sure why you say it’s “artificially” inflated. Non-linux systems are also affected.

        • Telorand@reddthat.com
          link
          fedilink
          arrow-up
          3
          ·
          2 months ago

          How’s that? If I’m running a Windows machine, how would a CUPS exploit affect me?

          I’m not asking maliciously, but I genuinely don’t grasp how that could be a viable attack vector.

          • sweng
            link
            fedilink
            arrow-up
            2
            ·
            2 months ago

            You would be vulnerable on Windows, if you were running CUPS, which you probably are not. But CUPS is not tied to Linux, and is used commonly on e.g. BSDs, and Apple has their own fork for MacOS (have not heard anything about it being vulnerable though).

      • sweng
        link
        fedilink
        arrow-up
        1
        ·
        2 months ago

        Wait, which list of filtered IPs are you even talking about? The list in the article is a list of unique kernel versions, not IPs.