News
Closing update After days of anticipation, what used to be billed as just a few serious unauthenticated far away-code execution vulnerabilities in all Linux systems used to be this day ultimately printed.
Briefly, within the event you might be running the Unix printing system CUPS, with cups-browsed scream their own praises and enabled, you might be vulnerable to assaults that might end result in your computer being commandeered over the community or data superhighway. The assaults require the sufferer to open a print job. Elevate out no longer be scared.
The bugs had been stumbled on and privately reported by tool developer Simone Margaritelli who has now openly disclosed the protection weaknesses intimately here. This write-up is claimed to be part one among two or even three, so put a matter to more data one day.
He went public this day at 2000 UTC after seemingly turning into frustrated with the handling of his vulnerability reviews by CUPS builders. No patches are on hand yet. Public disclosure used to be beforehand expected to be no later than September 30.
What you wish to clutch for now, according to Margaritelli, is:
- Disable and/or deal with end away the cups-browsed service.
- Update your CUPS installation to elevate in security updates if or when on hand.
- Block entry to UDP port 631 and be pleased in thoughts blocking off DNS-SD, too.
- It affects “most” Linux distros, “some” BSDs, most likely Google ChromeOS, Oracle’s Solaris, and most likely others, as CUPS is bundled with diverse distributions to produce printing functionality.
- To exercise this across the salvage or LAN, a miscreant needs to set your CUPS service on UDP port 631. With any luck none of you have that dealing with the general public data superhighway. The miscreant furthermore has to assist for you to open a print job.
- If port 631 is no longer any longer in point of truth straight reachable, an attacker might be ready to spoof zeroconf, mDNS, or DNS-SD adverts to enact exploitation. Particulars of that route will be disclosed later, we’re promised.
Once you happen to have not got cups-browsed on your system, you might be appropriate. Once you happen to don’t desire CUPS, be pleased in thoughts putting off all of it out of your computer staunch to be safe. Once you happen to by no approach print something, you might be most likely furthermore appropriate.
How would a vulnerable system be hijacked? “A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP URLs with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer),” says Margaritelli.
Two libraries, one CUPS
Breaking it down further, here are the four bugs Margaritelli has to this point publicly documented:
- CVE-2024-47176 in cups-browsed up to model 2.0.1. This listens on UDP port 631, trusts “any packet from any source,” and must silent exercise that data to fire off an IPP quiz to an attacker-controlled URL.
- CVE-2024-47076 in libcupsfilters up to model 2.1b1. This does no longer validate the attributes returned by that above IPP quiz, allowing an attacker to pipe malicious data into the sufferer’s CUPS system.
- CVE-2024-47175 in libppd. This furthermore does no longer validate these IPP attributes when writing them to a rapid PPD file.
- CVE-2024-47177 in cups-filters up to model 2.0.1. This might stay arbitrary commands from data in a PPD file.
Chaining these collectively, it is most likely you’ll most likely send a packet to UDP port 631 on a purpose vulnerable machine, compose that computer attain out to a server you preserve watch over, have that server feed a payload of commands as data to the purpose to then write to a PPD rapid file, and then when the person begins a print job, it triggers execution of these commands from that file.
Natty, and we are in a position to search how this might, staunch might, raze an plot of job or lab worker’s day, nevertheless or no longer it is total no longer Earth shattering. Margaritelli has confirmed person interaction by the sufferer is required (they need to open a print job) and has hinted that a buffer overflow might be ready to open that job remotely, but to this point, that’s no longer been disclosed or developed as an exploit. Margaritelli furthermore spoke of assorted bugs as-yet unrevealed.
Snatch the full above data and think for yourself how at-threat you might be, and what steps to deal with end. Us vultures simply removed cups-browsed from our Linux bins. Margaritelli reckons there are a pair of hundred-thousand at-threat devices on the general public data superhighway.
He beforehand complained in a social media thread that his bug reviews weren’t being taken seriously passable, and decided to traipse solely public after feeling that he used to be hitting resistance from fellow builders. He warned he would uncover all a pair of vendor-rated 9.9-out-of-10 CVSS severity gap in Linux.
It now appears an engineer at IBM’s Red Hat had reckoned no less than 1 in all the bugs used to be a 9.9 – making it a doomsday flaw – even when given the person interaction wanted, we predict about the exploit chain must be considered less than extremely serious. In his write-up this day, Margaritelli acknowledged he thinks 9.9 is honest too high, too.
“Impact-wise I wouldn’t classify it as a 9.9, but then again, what the hell do I know?” he wrote.
- Patch now: Considerable Nvidia bug enables container fetch away, total host takeover
- HPE patches three serious security holes in Aruba PAPI
- Victims lose $70K to one single wallet-draining app on Google’s Play Store
- China’s Salt Storm cyber spies are deep within US ISPs
Sooner than this day’s disclosure, watchTowr CEO and founder Benjamin Harris opined here’s “not the watershed moment it has been made out to be.”
After we all discovered more about the CUPS factors, he informed organizations to “immediately determine their exposure before they are forced to respond to an inevitable breach/cyber security incident,” but furthermore effectively-known “the vulnerability impacts less than a single-digit percentage of all deployed internet-facing Linux systems.”
“I continue to strongly believe that rapid reaction to emerging threats like this is one of the most powerful capabilities security teams should be leveraging and arming themselves with to prevent security breaches,” he instantaneous The Register.
“Now that the information about these vulnerabilities is public, the ‘bad guys’ will certainly be weaponizing this vulnerability to gain access to vulnerable systems.”
My CUPS over runneth
Apart from to exposing these vulnerabilities, Margaritelli’s write-up furthermore highlighted flaws within the bug-reporting job, Sonatype CTO Brian Fox instantaneous The Register. Notably, any person used to be ready to leak Margaritelli’s inner most disclosures to CERT VINCE, intended for vendors, to a cyber-crime forum where it used to be shared on Tuesday.
“The details of this report were leaked publicly, forcing a rushed disclosure instead of an orderly path and rollout process,” Fox added, noting that Margaritelli had earlier raised the terror of a leak.
“We should strive to make vulnerability disclosures more like hurricane warnings — providing timely and actionable information — and less like unexpected tornadoes that leave no time for preparation,” he acknowledged. “While these disclosures might sometimes seem exaggerated, it’s far better to be forewarned and ready than to be caught off guard by an unforeseen ‘tornado’ of security breaches.” ®
Editor’s uncover: Following disclosure of the bugs at 2000 UTC, September 26, this article used to be rewritten from this model to this at 2050 UTC in light of contemporary data. It used to be then further revised at 0035 UTC, September 27, to this newest model.