No one knows anything about this, I really HOPE it's in something not critical like ipv6, so I can just disable it and go on, otherwise I's so fucked...
I'll save you some tears, assuming the stated vendors did agree to the score.
The C:L I:H A:L
Confidentiality, so they can log in as 'some user' aka, not root.
Integrity: so they can modify anything as that user.
Availbility: they can probably shut down whatever daemon / vector they abuse, but whatever it is it isnt kernel.
So its likely some kind of daemon, its probably something like multicast DNS or some desktop application listening on a socket.
This isnt even the worst thing ive seen this week.
If it's just some daemon, I can disable it and survive for the time needed to fix it. Even ssh, no problem, just disable it from outside temporarily or limit it. I am VERY afraid of something like TCP stack because then we are TRULY screwed.
There isn't much code present in systems for 20 years. It is either extremely common lib, or critical stuff like ssh or network handling
Sooooooooo....
But then it wouldn't affect "all GNU/Linux systems" like the article claims, since not every GNU/Linux system is using CUPS.
It would still be a big deal however, and I would think that a CUPS vulnerability would affect macOS and BSDs too right?
since not every GNU/Linux system is using CUPS.
I'm pretty sure every major distro has CUPS installed out of the box?
Look at all the vendors tagged in the CVE, even Apple is there and they use CUPS
https://pbs.twimg.com/media/GX7YsBqXEAACZa2?format=jpg&name=medium
> I'm pretty sure every major distro has CUPS installed out of the box?
Plenty of server-focused distributions don't; CUPS is a dependency (or transitive dependency) of all the major desktop environments, but if you're installing a system that doesn't need a full desktop environment (only headless X, or no GUI at all) unless you're intentionally doing a print server why would you want CUPS?
I’m Im not sure what exactly you’re replying to? I said it ships with every major disto out of the box not every distro permutation that exists. Even on servers it’s often installed by default because print servers as you mentioned.
It’s probably one of the most widely installed daemons across all nix variants.
BTW it was just disclosed that it is in fact CUPS
"Every major distro" is not the same as "every major DESKTOP distro." RHEL, Ubuntu Server and Debian's base system profile are all major distributions.
If you install RHEL and don't tell it to install a desktop environment or install Ubuntu server, I'm pretty sure neither one will have CUPS installed, although pulling in pretty much any desktop environment in your kickstart will pull it in.
I don't have time to pull a base image to check, but running CUPS on an external-facing system is close to malpractice, and having any ports open from CUPS to the open internet is crazytown.
> "Every major distro" is not the same as "every major DESKTOP distro."
My brother in christ when I say every major distro on a subreddit where 99% of the content is desktop user centric what exactly did you think I mean?
People were speculating it was Cups because of its wide install base across nix*s, (some servers too), turned out it was Cups and here you are being insanely pedantic for some reason
I was clarifying my shorter original point, because it didn't seem you got it.
And there are also a lot of us here who run Linux as part of our jobs, and that isn't typically on a desktop environment.
There are a lot more servers out there in on the internet (both physical and even more so virtual) than desktop Linux users, and more embedded Linux systems than either.
Some of those do run CUPS, although very few of them should.
I would argue it's even worse than that.
I'd be willing to bet desktop linux usage isn't even 1% of the total linux hosts in the world - the market share for desktop vs server are basically a mirror. >95% of web servers are linux, <5% of desktops are linux
Coupled with plenty of default cupsd configs even when you do install it only binding to localhost rather than 0.0.0.0, and this is a big yawn as far as the breadth of the impact IMO.
Mainly just desktop systems. I doubt many servers or IoT devices would have CUPS installed and running. Iirc, Debian also does not pre-install CUPS out of the box, although I'm not sure if it does if you chose to install the desktop variant in the installer. FreeBSD doesn't pre-install CUPS.
However it definitely could be CUPS given how widely used it is, but I also would think that the vulnerability would not be nearly as devastating since I doubt many people expose CUPS servers publicly to the internet.
As someone else mentioned earlier, I also thought it could be something in GNU coreutils or glibc, since the articles all specifically claim "GNU/Linux". Although, given that the vulnerability is claimed to be RCE, I would think it needs to be something specifically with networking or the kernel itself.
I have cupsd on my nuc server (debian) because it acts as basic print server for home and has single inkjet attached.
But it is local network only, not open toward internet and behind fw.
Neither does RHEL or derivatives. Even Ubuntu doesn't install CUPS out of the box on a server (it might on a desktop, don't have one handy to look at).
If it's in GNU coreutils or glibc, then you're not going to have impact on the BSDs or MacOS (they each implement their own libc,
CUPS fits. But the number of systems listening on 631 on a public IP, with a custom CUPS configuration to allow unauthenticated traffic from somewhere besides localhost? Well, those are already owned hosts. ASCII art penises are flying out of the attached printer until it's out of paper or ink.
Could you be so kind to link the source of the image?
I know you said "vendors tagged in the CVE", but the linked thread says there's no CVE assigned yet, no?
(P.S: Excuse my ignorance, I see it comes from X/twitter but I've never used that platform so I know if I can somehow back-track from the image link)
I get
>
Hmm...this page doesn’t exist. Try searching for something else.
But I'll take your word for it that it was posted by "@evilsocket" on X.
Thank you.
nah the guy who reported the vulnerability put his account in "protected mode" where only followers ( and he has to approve who gets to follow him) can see his posts.
It's a CVSS 8.8 in CUPS. No idea where they got the 9.9 from, it requires user interaction (the user has to print to a malicious printer) and the printer needs to be on the same network (for DNS-SD autodiscovery to autodiscover the malicious printer).
> I would think that a CUPS vulnerability would affect macOS and BSDs too right?
*BSD default to use lpd, not cups. Cups is only installed if you pull in a package that depends upon it (like firefox).
I believe most people on *BSD stick with lpd(8) instead of using cups.
If only Linux people knew how to write portable code, then things like cups/ dbus ... would not end up on BSD.
The author claims all GNU/Linux systems (plus others). So it could also affect BSD and MacOS. CUPS is a common culprit among all three of those "systems", but also SSH
Systemd has a wide enough install base I wouldn't take an issue with an article claiming it effected all linux systems even if it weren't strictly technically true.
Also glibc, openssh and a few other near universal core systems and libraries.
OpenSSH runs on macOS, BSD, Windows, and others. This seems to be Linux-specific. glibc is not 100% Linux-specific, but close enough that it's an option besides the kernel.
You can have interactions between components that introduce a vulnerability on one OS and not another like in OpenSSH RegreSSHion. This only impacted systems using glibc despite being an OpenSSH specific vulnerability.
Such things are supposed to be vague before a patch is published, no?
If more info were known then it would narrow down the surface attack for malicious actors to focus, investigate and potentialy find the RCE and exploit it.
I understand the dilemma of responsible reporting. This article is annoying as hell because the developers are still working on the mitigation, so no details are available. Sigh.
> YES: I LOVE hyping the sh1t out of this stuff because apparently sensationalism is the only language that forces these people to fix.
Read: They are hyping it to create buzz (it works) so the vendor actually fixes it.
It is probably a bug in CUPS (seeing as Apple (creator of CUPS) was the first vendor on his list and *bsd is affected as well). One line in their (now private) twitter also said that the developers failed to see the big impact, as the computer has to be exposed to the internet. (which they countered with 'terabytes of scans showing a lot of computers with that software exposed to the internet').
FWIW, this is also not true. Apple no longer meaningfully contributes to cups. They only do bug fixes.
https://www.phoronix.com/news/Apple-No-More-CUPS
CUPS is used for print servers on corporate networks. So while it's not exposed to the public internet, it's still exposed to hundreds of devices that could take advantage of the vuln if even one of them is evil.
"seeing as Apple (creator of CUPS)"
Yes. Apple. Creater of all things. The earth, oxygen, life itself on this planet. CUPS was around long before Apple "created" it.
> CUPS was around long before Apple "created" it.
The guy who wrote CUPS (Sweet) went to work for Apple about three years after he made it, and worked there for nearly two decades on CUPS and printing in general. They even outright purchased the copyright for CUPS from Sweet in 2007 so they could make a BSD/proprietary version they use in their print server now rather than using the GPL'd code, during the first big wave of "no GPL" at Apple.
It's not nearly as outlandish as you claim it to be.
Defence in depth is a thing. Any org that takes security seriously should not have this exposed to the internet. But they would still be scrambling to see if it is exposed internally as well.
Oh good. Love to see this. I am very much feeling the sentiment listed in the article of “since no details have been released, people are on edge because they don’t have any idea of anything proactive they can do”
Like, if there’s a service I can disable for a few days that fixes the problem, I’d really love to know.
Guess I’ll just have to wait with all the other “outsiders” (people involved in the CVE process)
Everyone knows only the social media app they use is the decent one.
The others are filthy hives of misinformation run by crooks.
Obligatory fuck spez.
Tried to look at it and
> You’re unable to view this Post because this account owner limits who can view their Posts.
Wow, they can go fuck themselves, too!
eeeeh, absolutists have been bad. But also i was unaware of some Domestic Violence stuff he had perpetrated, so he probably locked out of damage control rather than what i suggested
They absolutely should not.
That would result in malicious parties scrambling to try and find the vulnerability before it's fixed, potentially exploiting many many victim systems.
So I'm guessing whatever it is will be patched before the disclosure and people are going to be watching everything like a hawk over the next few weeks.
95 Comments
Good-Entrance-2967@reddit
Kurgan_IT@reddit
Jertzukka@reddit
Kurgan_IT@reddit
wademealing@reddit
Kurgan_IT@reddit
gtrash81@reddit
wademealing@reddit
wademealing@reddit
primalbluewolf@reddit
AryabhataHexa@reddit
AryabhataHexa@reddit
mrvanez@reddit
TheSleepyMachine@reddit
DeeBoFour20@reddit
eclipseofthebutt@reddit
undersquire@reddit
FormerSlacker@reddit
CubicleHermit@reddit
FormerSlacker@reddit
CubicleHermit@reddit
FormerSlacker@reddit
CubicleHermit@reddit
vertigoacid@reddit
undersquire@reddit
pppjurac@reddit
vertigoacid@reddit
BeatTheBet@reddit
FormerSlacker@reddit
NatoBoram@reddit
BeatTheBet@reddit
FormerSlacker@reddit
Phoenix591@reddit
pitust@reddit
undersquire@reddit
jmcunx@reddit
deja_geek@reddit
michelbarnich@reddit
xatrekak@reddit
penguin359@reddit
xatrekak@reddit
FormerSlacker@reddit
matt_eskes@reddit
EastSignificance9744@reddit
matt_eskes@reddit
boolshevik@reddit
Far-9947@reddit
djasonpenney@reddit
matt_eskes@reddit
suprjami@reddit (OP)
matt_eskes@reddit
jerone2@reddit
aenae@reddit
dynamiteSkunkApe@reddit
aenae@reddit
MetaTrombonist@reddit
AnticitizenPrime@reddit
SMF67@reddit
cyberburrito@reddit
hackingdreams@reddit
finite_turtles@reddit
kuroimakina@reddit
ilep@reddit
broknbottle@reddit
bobbie434343@reddit
FishHikeMountainBike@reddit
forthelurkin@reddit
bobbie434343@reddit
NonStandardUser@reddit
suprjami@reddit (OP)
NonStandardUser@reddit
suprjami@reddit (OP)
Grim-Sleeper@reddit
MatchingTurret@reddit
the_abortionat0r@reddit
MatchingTurret@reddit
SealProgrammer@reddit
themusicalduck@reddit
Standard-Potential-6@reddit
NatoBoram@reddit
miawgogo@reddit
NatoBoram@reddit
miawgogo@reddit
DolitehGreat@reddit
birds_swim@reddit
aliendude5300@reddit
suprjami@reddit (OP)
aliendude5300@reddit
suprjami@reddit (OP)
pppjurac@reddit
suprjami@reddit (OP)
the_abortionat0r@reddit
pppjurac@reddit
dynamiteSkunkApe@reddit
sylvester_0@reddit