Announcement

Collapse
No announcement yet.

Unauthenticated RCE Flaw With CVSS 9.9 Rating For Linux Systems Affects CUPS

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Unauthenticated RCE Flaw With CVSS 9.9 Rating For Linux Systems Affects CUPS

    Phoronix: Unauthenticated RCE Flaw With CVSS 9.9 Rating For Linux Systems Affects CUPS

    There's been much speculation since this morning over a reported "severe" unauthenticated remote code execution (RCE) flaw affecting Linux systems that carries a CVSS 9.9.9 score... The embargo has now lifted with the details on this nasty issue...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    Ouch.

    Printing always seems like such a struggle for every operating system.

    Comment


    • #3
      Is the rating legitimized? Not even Spectre (and the likes) were this high to my recollection

      Comment


      • #4
        Ouch indeed.
        Security hygiene such as using a firewall and disabling unused and/or harmful services such as cups-browsed and avahi-daemon prevents this... but out of the box, many distros for desktop computers don't do that, because usability by normal people who aren't trained security-conscious computer scientists understandably beats security every time.

        EDIT: and boo to upstream which did a poor job reacting to the vulnerability reports, according to the skilled security researcher...
        Last edited by debrouxl; 26 September 2024, 04:54 PM.

        Comment


        • #5
          Re rating Legitimate: just the fact you can have a root service write attacker-controlled data to a disk file is pretty bad. Then there is the "uncloaking" because the compromised server queries an attacker-controlled ipp-url ("tell me your features, oh newly discovered" printer"").. The crowning glory is just the entire legacy printer compatibility swamp under foomatic. Seriously. The authors blog quotes an example of a *legitimate* driver that executed a perl-one-liner on each printjob for some syntax quirk. And *that* command can be attacker-overridden.. "echo pwnd > /etc/passwd" is a real possibility.
          Last edited by Juke1349; 26 September 2024, 04:50 PM. Reason: Autocorrect...

          Comment


          • #6
            Originally posted by Errinwright View Post
            Is the rating legitimized? Not even Spectre (and the likes) were this high to my recollection
            Yup, that's the appropriate CVSS for an easy to exploit, unauthenticated vulnerability in some code which can run with elevated privileges.

            Vulnerabilities related to speculative execution and various side channels don't get top CVSS because AFAICT, they are basically unexploitable remotely, and some of them aren't that easy to exploit locally. The Rowhammer family, including attacks on stupid low-grade SSDs, isn't always easy to exploit locally either; the remote variant (Nethammer) is even harder to exploit, at least if it still requires higher bandwidth NICs which most computers don't have.
            Last edited by debrouxl; 26 September 2024, 04:56 PM.

            Comment


            • #7
              assuming the CUPS port is open through your router/firewall
              Can't imagine ever wanting to do that (my printer is networked and I only use CUPS locally to add it for basic printing from the OS)

              The RHEL doc mentioned to check the cups service, which isn't running for me on F41 Beta: sudo systemctl status cups-browsed

              If I understand right, the CUPS browsing service is for adding other printers advertised through CUPS? The service description says the following, but I assume since my printer does its own management (no CUPS) and advertises it for CUPS to pick up (CUPS being the client), I have nothing to be concerned with for this specific RCE?

              ○ cups-browsed.service - Make remote CUPS printers available locally
              I'm curious how this affects distros that require adding printers through CUPS through root; openSUSE are the only ones I know of
              Last edited by Espionage724; 26 September 2024, 05:25 PM.

              Comment


              • #8
                no CUPS no pain.
                I never understood why something simple like printers needed a bloated unwieldy networked-by-default mess like cups.

                But I also stopped using printers roughly 10 years ago.

                Comment


                • #9
                  When I build up a system for my personal use, CUPS is one of the first things expunged. PHEW!!!

                  Comment


                  • #10
                    Originally posted by energyman View Post
                    no CUPS no pain.
                    I never understood why something simple like printers needed a bloated unwieldy networked-by-default mess like cups.
                    .
                    Probably you never worked on an office which have a dedicated printer but have multiple users. You might be right for a homeoffice/home usage but in
                    almost all work environments needs it

                    Comment

                    Working...
                    X