That doomsday critical Linux bug: It's CUPS. Could lead to remote hijacking of devices
- Reference: 1727372041
- News link: https://www.theregister.co.uk/2024/09/26/unauthenticated_rce_bug_linux/
- Source link:
In short, if you're running the Unix printing system CUPS, including cups-browsed, then you may be vulnerable to attacks that could lead to your computer being commandeered over the network or internet.
The bugs were found and disclosed by software developer [1]Simone Margaritelli who has now openly disclosed the issue in detail [2]here .
[3]
What you need to know for now, according to Margaritelli, is:
Disable and/or remove the cups-browsed service.
Update your CUPS installation to bring in security updates when available.
Block access to UDP port 631 and consider blocking off DNS-SD, too.
It affects "most" Linux distros, "some" BSDs, possibly Google ChromeOS, Oracle's Solaris, and potentially others, as CUPS is pretty widely included in distributions.
To exploit this across the internet or LAN, a miscreant just needs to reach your CUPS service on UDP port 631. Hopefully none of you have that facing the public internet anyway.
If port 631 isn't available, an attacker may be able to spoof zeroconf, mDNS, or DNS-SD advertisements to achieve exploitation. Details of that path will be disclosed later. In fact, more details are promised.
If you don't have CUPS and/or cups-browsed on your system, you're good. If you were already firewalling off CUPS, you're most likely good.
How would a vulnerable system be hijacked? "A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP URLs with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer)," says Margaritelli.
[4]
[5]
Take all that info and decide for yourself how at-risk you are, and what steps to take. Margaritelli reckons there are hundreds of thousands of at-risk devices on the public internet.
He previously complained in a social media [6]thread that his bug reports weren't being taken serious enough, and decided to go fully public after feeling that he was hitting resistance from fellow developers.
[7]
He said the issues he found merited a CVSS severity score of 9.9 out of 10, and said Ubuntu-maker Canonical and IBM's Red Hat had agreed with him on that point. We're awaiting confirmation from both orgs.
"A vulnerability with a 9.9 CVSS indicates a low complexity to exploit and signs are pointing to the flaw existing at the core of the system," Sonatype CTO Brian Fox told The Register prior to today's disclosure.
"Considering this is Linux, the scope of this vulnerability is massive and successful exploitation could be devastating — everything from your Wi-Fi router to the grid keeping the lights on runs on Linux."
[8]
This is now a breaking news story. It was last revised at 2050 UTC following disclosure of the bugs. We will continue to update it as needed. Check back soon.
Get our [9]Tech Resources
[1] https://github.com/evilsocket
[2] https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZvXZgneLwcA8-e6-TE-U9wAAAEw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZvXZgneLwcA8-e6-TE-U9wAAAEw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZvXZgneLwcA8-e6-TE-U9wAAAEw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://threadreaderapp.com/thread/1838169889330135132.html
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZvXZgneLwcA8-e6-TE-U9wAAAEw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZvXZgneLwcA8-e6-TE-U9wAAAEw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://whitepapers.theregister.com/
Re: this better be in the kernel
Assuming it is a kernel network thing I have to wonder if such an exploit is mitigated by means of passing the traffic through another device such as a firewall
That's fine for corporate systems, but some sort of network based remote p0wn of Linux that didn't depend on an open port (i.e. OpenSSH/CUPS whatever type exploit) would be a major disaster for home users everywhere. Just about every one of us has some sort of Linux based device that connects their home network to their cable/fiber/whatever provider. If all I need is an IPv4 address to send some sort of magic packet(s) to that p0wns your device, I'm inside your network and other exploits would allow leveraging that for almost anything.
The only way I could imagine a 9.9 would be if this is what it is - a network packet that can p0wn any reachable Linux system even with no ports open and full firewall enabled. But I suspect it is less, and everyone is going to laugh at this single alarmist source who claims a 9.9 if it is something stupid like a CUPS exploit.
The worst thing about such a Linux based attack that allowed p0wn everyone's cable modem and wireless router is that the large majority of that equipment is no longer getting updates, so this would be a "gift that keeps on giving" for years and years.
EDIT: oh and I see below it is CUPS. This is a nothingburger, I hope everyone in the network security business remembers this guy's name and puts him on the "never hire" list, because he's a complete moron getting everyone worked up about something that wouldn't rate a single mention on sites like the Register if it wasn't for this Chicken Little fool.
Re: this better be in the kernel
As mentioned below by @jailbird, it could be a serious vulnerability reported at the same time and by the same person as a 'nothingburger', which if true, would be pretty rotten of him
But I hope you are right, in which case I fully agree with your sentiment
Re: this better be in the kernel
There are a few services that I would accept as included in "every linux system in the past decade" even if they're not the kernel. It wouldn't be literally every system, but if it was something that ran on most of them, I'd still accept it. In that list I might include SSH, iptables (related services rather than the binary that iptables typically refers to), Systemd, or the very common core libraries. If, for example, someone managed to get a bug into glibc which somehow attached to any network stream established by a program that used glibc, then that would be pretty bad even though there are some Linux systems that don't use it. To qualify as every one in the last decade, though, it couldn't have been a recent regression.
CUPS is not in that list.
Re: this better be in the kernel
CUPS was one of the true delights of Capture The Flag games 20 years ago. Great to see it's still delivering.
Maybe time for a rewrite in Rust.
-> Troll face for obvious reasons. I am only half-joking but this seems like logic errors & lack of input sanitisation which Rust wouldn't help much with
Its confirmed to be cups-browsed
The original tweeter `evilsocket` and the repo maintainer are openly discussing it here on github
https://github.com/OpenPrinting/cups-browsed/issues/36
workaround (for now)
systemctl stop cups-browsed
systemctl disable cups-browsed
Re: Its confirmed to be cups-browsed
If it is cups-browsed, then I've got nothing to worry about. It's [N]ot installed. And no server I've ever managed has had it (or cups) installed either. "all GNU/Linux systems (plus others)"? Hardly.
[I] net-print/cups (2.4.7-r2@06/02/24): The Common Unix Printing System
[N] net-print/cups-bjnp (2.0.3-r1): CUPS backend for canon printers using proprietary USB over IP BJNP protocol
[N] net-print/cups-browsed (2.0.0): helper daemon to browse for remote CUPS queues and IPP network printers
[I] net-print/cups-filters (2.0.0-r1@04/06/24): Cups filters
Re: Its confirmed to be cups-browsed
I wonder if this is a separate issue. The cups bug says it is a DoS, while the Tweet for this 9.9 says it's a RCE.
Re: Its confirmed to be cups-browsed
I wonder if this is a separate issue. The cups bug says it is a DoS, while the Tweet for this 9.9 says it's a RCE.
Exactly.
And in the scope of "things that run Linux", the ones running cups-browsed comprise approximately 0%.
A DoS attack on cups-browsed doesn't sound anything at all like what the original tweet is describing.
Re: Its confirmed to be cups-browsed
Pretty sure its cups-browsed - if read the git thread `evilsocket` is annoyed at the git maintainer as some of his recent patches are fixing the main, not ddos, issue.
Here is the commit with part fix to the RCE, checking attribute types are correct.
https://github.com/OpenPrinting/cups/commit/96b3bdf010e78880f5764e5032720379aa1116df
Report to full disclosure in three weeks??
WTF? Even if it could be fixed immediately, we need time to patch it.
What, other than massaging a wannabe supervillain ego and causing global panic, could be his reason for going full disclosure so early?
Icon: I'm sure he'll be listening out for this for the next few hours at least
EDIT: OK, if it's 'just' CUPS-browsed as alluded to above, then he's just overhyping it. Hardly "Every Linux system" as claimed (which would suggest that my router/firewall is probably vulnerable too)
Re: Report to full disclosure in three weeks??
You would be amazed at how many home/soho routers have a print server on them so you can share your USB printer on the network....
Re: Report to full disclosure in three weeks??
Yes although -one would hope- the print server ports are not exposed to the 'WAN' interface.
Re: Report to full disclosure in three weeks??
(AC from above)
Hope indeed.....
WTF is a WiFi router?
I have a router. I have a (Cisco) Wireless LAN Controller. I have WiFi access points. What is a WiFi router, other than a made up thing?
Re: WTF is a WiFi router?
It's a consumer-level device, very popular among the proletariat, which combines these functions into the one device, m'lud.
Re: WTF is a WiFi router?
Oh, to facilitate them in listening to their "popular beat combos"?
Re: WTF is a WiFi router?
I read that in Paul Merton's voice talking to Ian Hislop
I hope that was the intention!
Re: WTF is a WiFi router?
It's a combination of a router/firewall and a WAP. They're very, very common in residential installations.
And lots of them run Linux.
1.) CUPS started in 1999, and yet, not enough eyes.
2.) If this was in windows, we would be asking: What kind of security model allows a userpace program to grant RCE into the sysytem as root? And yet, here we are...
Have you seen the Windows networked-printer driver model? It's roughly as follows:
"Hi, do you have any printers?" > "Yes, here's a list." > "Hmm, I don't seem to have a driver for that one" > "No problem, here's a driver, load it into your kernel" > "Okay"
https://www.theverge.com/2021/7/2/22560435/microsoft-printnightmare-windows-print-spooler-service-vulnerability-exploit-0-day
(note: from 2021)
"Microsoft is warning Windows users about an unpatched critical flaw in the Windows Print Spooler service. The vulnerability, dubbed PrintNightmare, was uncovered earlier this week after security researchers accidentally published a proof-of-concept (PoC) exploit. While Microsoft hasn’t rated the vulnerability, it allows attackers to remotely execute code with system-level privileges, which is as critical and problematic as you can get in Windows."
this CUPS thing is a joke. Here I was worried about things like network switches, storage arrays, firewalls, web servers. My local linux laptop runs cups (though I have no printers), I manage roughly 800 other linux systems at work and not one of them has ever had CUPS installed.
Aye, same boat here - nowt in 'my estate' (some 200 boxes) has CUPS on it.
But it's getting enough press that customers might ask, so it's worth having a read through the blog to get the details.
It's quite an interesting little exploit chain, even if it's not quite as widespread as the dev thinks (possibly overestimating how many systems have CUPS installed - basically all desktops out of the box, but not many servers unless you explicitly choose it/set it up - although cheap routers with USB sharing might be at risk, especially if they have a shitty uPnP implementation...).
It's out there enough in the press that I've scrawled up a quick response to any clients who ask about it, and to advise our desktop linux users to triple check their firewalls are set up in such a way as to effectively defeat any exploits that come out, till it gets patched.
Better safe than sorry, especially as some of them are out and about a bit on public networks etc....
Judging...
If it is truly that serious, and he's getting that much push back from the developer, it must be systemd. But thankfully that doesn't affect every single Linux device, just most of them. The sane systems don't use it.
Re: Judging...
If it is truly that serious, and he's getting that much push back from the developer, it must be systemd. But thankfully that doesn't affect every single Linux device, just most of them.
Nope, most Linux systems don't use systemd. Remeber: most Linux systems are phones. And they don't use systemd.
This on [1]twitter at 19:00 UTC. CUPS is one of Openprinting's projects.
Simone Margaritelli @evilsocket
Mark this. 1 hour to go.
[2]https://openprinting.github.io/codeofconduct/
[1] https://twitter.com/search?q=evilsocket
[2] https://openprinting.github.io/codeofconduct/
Good. So the so-called "doomsday" vulnerability is hopefully just print-server related
In an hour, he'll learn the price of trolling the whole tech sector
Best add Canonical and Red Hat to that list - they're the ones who rated it a 9.9, not the researcher. They're unlikely to apply that to something of such comparatively limited scope.
Suppose we'll find out in
*checks watch*
Five minutes.
As a reminder, Heartbleed was a 7.5...
The issue linked is to one that is public because it appears to be less severe. It mentions other fixes to libcupsfilters and libppd which are not public so are presumably more severe. I am dubious whether these will end up being as severe as the hype makes out.
I suppose we'll find out in 18 minutes.
I do wish El Reg would update the article to add the CUPS link though, as it seems a bit sensational without it, but I suppose we were all too lazy to ping their corrections@ inbox
Full disclosure has been released - its cups-browsed, link in body.
https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840ee1 << disclosure
Released early as the whole world figured out it was cups-browsed.
edit: CVEs
CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.
CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.
CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.
CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.
My personal take is whilst thankful for the find, the OP `evilsocket` laid so many breadcrumbs describing the vector and cloning cups-browsed to his repo finding recent commits to cups-browsed became trivial.
https://github.com/OpenPrinting/cups/commit/96b3bdf010e78880f5764e5032720379aa1116dfts
TLDR; browsed lack of sanitizing attributes in IPP - as addressed in the commit above.
```
printer-privacy-policy-uri = [https://www.google.com/"\n*FoomaticRIPComman…|https://www.google.com/%22%5Cn*FoomaticRIPCommandLine]: "echo 1 > /tmp/PWNED"\n*cupsFilter2 : "application/pdf application/vnd.cups-postscript 0 foomatic-rip
```
Re: Full disclosure has been released - its cups-browsed, link in body.
OP writeup
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
Re: Full disclosure has been released - its cups-browsed, link in body.
So can't be a doomsday 9.9
Meh.
Unless Drive by 3rd party evil js via browser can work it? If so another reason to by default block all 3rd scripts, Though CloudFlare thinks you are a bot when you do that. Idiots.
Re: Full disclosure has been released - its cups-browsed, link in body.
It's a remote code execution with no authentication. Definitely a 9.9
CVSS base score doesn't care how widespread software is.
Heartbleed was serious and widespread but an information disclosure that in and of itself doesn't offer RCE.
A lot of people here are confused about the scope and utilisation of CVSS base scores.
But yes. There was much hype. Over a serious but not completely ubiquitous issue
Is that all?
There people who enable cups-browsed?
I've never seen it running on any Linux machine I've used during the past 30-odd years.
That's got to be a tiny, tiny percentage of Linux systems. Hardly "affects all Linux systems and distros" as originally claimed.
Re: Is that all?
FWIW I'm using Debian 12.7 right now (desktop Linux FTW) and I not only had cups-browsed installed, I just removed it.
C.
Re: Is that all?
The OP (evilsocket) claims to have seen 300k linux systems with open CUPS ports on the Internet using shodan.io. But how many are real and how many are honeypots, who knows
Re: Is that all?
300K is not a lot in terms of the Internet. Yes, it's a lot of systems, yes it's a problem, but it's a drop in the ocean compared with all Linux systems or the majority of Unix systems.
At least the author has the grace to question the 9.9 rating. 9.9 as it's easily exploited, but only if you're running a service many Unix systems aren't.
Having said that, if you're printing, you're probably using CUPS. I've tried looking at non CUPS solutions for printing and painful doesn't even begin to describe the documentation and moving parts.
Re: Is that all?
Having said that, if you're printing, you're probably using CUPS.
Yes, but you don't need to have cups-browsed running to use CUPS. I've been using CUPS for decades and have never enabled cups-browsed.
Sheesh. Kids these days and their silly auto-magical auto-discovery stuff!
Re: Is that all?
I'd be very surprised if there were within an order of magnitude of 300k honeypots.
Re: Is that all?
My mini-pc home server running Ubuntu had it installed and running. My Raspberry Pis appear not to.
You can't get hacked if you don't have it.
Rocky 8 Desktop default.
cups-browsed.service - Make remote CUPS printers available locally
Loaded: loaded (/usr/lib/systemd/system/cups-browsed.service; disabled; vendor preset: disabled)
Rocky 9 Server not installed by default.
*YAWN*
$ systemctl status cups-browsed
● cups-browsed.service - Make remote CUPS printers available locally
Loaded: loaded (/usr/lib/systemd/system/cups-browsed.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Mountains, molehills ....
... and storms in tea CUPS.
Gotta love Chicken Little syndrome. Selling column-inches since the advent of the red-top.
this better be in the kernel
I saw someone post in another forum speculating that the issue was with CUPS. Since I saw this last night I'm assuming it's somehow a kernel network exploit. If it's anything but that, really this will end up being another super over hyped thing.
Saying "every linux system in the past decade", the only thing those have in common is the various kernels. Obviously not an SSH or Apache, or whatever service exploit. If it does end up being with CUPS then that will be one of the biggest security jokes of the past decade, as only a fraction of 1% of linux systems run CUPS.
so, like others, I await the truth to be revealed. Assuming it is a kernel network thing I have to wonder if such an exploit is mitigated by means of passing the traffic through another device such as a firewall, especially if that firewall is running a kernel that is NOT linux.
I do recall I think in the late 90s there being one or two or more kernel bugs similar to Windows' "ping of death" though it wasn't a RCE, just a system crash...though maybe am remembering wrong.