On 2024-09-27 12:17 a.m., RonB wrote:
> On 2024-09-26, CrudeSausage <crude@sausa.ge> wrote:
>> On 2024-09-26 12:03 a.m., RonB wrote:
>>> On 2024-09-26, CrudeSausage <crude@sausa.ge> wrote:
>>>> Worse than Heartbleed, Meltdown or Spectre. According to a GitHub
>>>> developer:
>>>>
>>>> "From a generic security point of view, a whole Linux system as it is
>>>> nowadays is just an endless and hopeless mess of security holes waiting
>>>> to be exploited." (kind of like Chris Ahlstrom's body)
>>>>
>>>> <https://cybersecuritynews.com/critical-unauthenticated-rce-flaw/>
>>>
>>> Yet another "catastrophic" Linux security threat that will be fixed within
>>> days.
>>
>> They're working on it and so far coming up with no way of fixing it. I
>> wouldn't be surprised if there is no solution by October 6th. If that is
>> the case, you just know that bad actors will be attacking Linux
>> relentlessly from October 7th on. This looks like the real deal. 9.9/10
>> is pretty serious when you consider that the aforementioned issues were
>> rated between 5 and 7 on 10.
>>
>>> You realize that Cyber Security News makes their case for existence by
>>> hyperventilating about potential "catastrophic" security threats, right?
>>
>> Perhaps, but the developers on GitHub have been freaking out as well to
>> a point that Lunduke felt it necessary to bring this problem to light.
>> Those developers are usually arrogant about their ability to fix such
>> issues, not this time.
>
> Interestingly enough, since this works through the CUPS system On Unix-based
> machines, this also affects MacOS. Odd Cyber Security News didn't mention
> that little factlet.
>
> Summary
>
> The first of a series of blog posts has been published detailing a
> vulnerability in the Common Unix Printing System (CUPS), which
> purportedly allows attackers to gain remote access to UNIX-based systems.
> The vulnerability, which affects various UNIX-based operating systems,
> can be exploited by sending a specially crafted HTTP request to the CUPS
> service.
>
> Threat Topography
>
> Threat Type: Remote code execution vulnerability in CUPS service
>
> Industries Impacted: UNIX-based systems across various industries,
> including but not limited to, finance, healthcare, and government
>
> Geolocation: Global, with potential impact on UNIX-based systems
> worldwide
>
> Environment Impact: High severity, allowing attackers to gain remote
> access and execute arbitrary code on vulnerable systems
>
> Overview
>
> X-Force Incident Command is monitoring what claims to be the first in a
> series of blog posts from security researcher, Simone Margaritelli,
> detailing a vulnerability in the Common Unix Printing System (CUPS),
> which purportedly can be exploited by sending a specially crafted HTTP
> request to the CUPS service. The vulnerability affects various UNIX-based
> operating systems, including but not limited to, Linux and macOS. The
> vulnerability can be exploited to gain remote access to affected systems,
> allowing attackers to execute arbitrary code and potentially gain
> elevated privileges. X-Force is investigating the disclosure and
> monitoring for exploitation. We will continue to monitor this situation
> and provide updates as available.
>
> Key Findings
>
> The vulnerability affects various UNIX-based operating systems,
> including but not limited to, Linux and macOS
>
> All versions of Red Hat Enterprise Linux (RHEL) are affected, but are
> not vulnerable in their default configurations.
>
> The vulnerability can be exploited by sending a specially crafted HTTP
> request to the CUPS service
>
> The vulnerability allows attackers to gain remote access to affected
> systems and execute arbitrary code
>
> The vulnerability has been identified as high severity, with potential
> for significant impact on affected organizations
>
> Mitigations/Recommendations
>
> Disable the CUPS service or restrict access to the CUPS web interface
>
> In case your system can’t be updated and you rely on this service,
> block all traffic to UDP port 631 and possibly all DNS-SD traffic
> (does not apply to zeroconf)
>
> Implement additional security measures, such as network segmentation
> and access controls, to limit the spread of the vulnerability
>
> Conduct thorough vulnerability assessments and penetration testing to
> identify and remediate any other potential vulnerabilities
>
> Implement robust incident response and disaster recovery plans to
> mitigate the impact of a potential breach
>
> https://securityintelligence.com/news/fysa-critical-rce-flaw-in-gnu-linux-systems/
>
> And this...
>
> That doomsday critical Linux bug: It's CUPS. May lead to remote hijacking
> of devices
>
> No patches yet, can be mitigated, requires user interaction
>
> Thu 26 Sep 2024 // 17:34 UTC
>
> Final update After days of anticipation, what was billed as one or more
> critical unauthenticated remote-code execution vulnerabilities in all
> Linux systems was today finally revealed.
>
> In short, if you're running the Unix printing system CUPS, with
> cups-browsed present and enabled, you may be vulnerable to attacks that
> could lead to your computer being commandeered over the network or
> internet. The attacks require the victim to start a print job. Do not be
> afraid.
>
> The bugs were found and privately reported by software developer Simone
> Margaritelli who has now openly disclosed the security weaknesses in
> detail here. This write-up is said to be part one of two or maybe three,
> so expect more info at some point.
>
> He went public today at 2000 UTC after seemingly becoming frustrated with
> the handling of his vulnerability reports by CUPS developers. No patches
> are available yet. Public disclosure was previously expected to be no
> later than September 30.
>
> What you need to know for now, according to Margaritelli, is:
>
> Disable and/or remove the cups-browsed service.
>
> Update your CUPS installation to bring in security updates if or when
> available.
>
> Block access to UDP port 631 and consider blocking off DNS-SD, too.
>
> It affects "most" Linux distros, "some" BSDs, possibly Google ChromeOS,
> Oracle's Solaris, and potentially others, as CUPS is bundled with
> various distributions to provide printing functionality.
>
> To exploit this across the internet or LAN, a miscreant needs to reach
> your CUPS service on UDP port 631. Hopefully none of you have that
> facing the public internet. The miscreant also has to wait for you to
> start a print job.
>
> If port 631 isn't directly reachable, an attacker may be able to spoof
> zeroconf, mDNS, or DNS-SD advertisements to achieve exploitation.
> Details of that path will be disclosed later, we're promised.
>
> If you don't have cups-browsed on your system, you're good. If you don't
> need CUPS, consider removing it all from your computer just to be safe. If
> you never print anything, you're probably also good.
>
> How would a vulnerable system be hijacked? "A remote unauthenticated
> attacker can silently replace existing printers’ (or install new ones) IPP
> URLs with a malicious one, resulting in arbitrary command execution (on
> the computer) when a print job is started (from that computer)," says
> Margaritelli.
>
> https://www.theregister.com/2024/09/26/cups_linux_rce_disclosed/
>
> Not only Macs, but possibly Chromebooks.
>
> I disabled cups-browsed. Guess I'm good. Doomsday averted.

MacOS was mentioned by Lunduke, but he also pointed out that he wasn't
sure if it affected them. He did mention that ChromeOS was affected. As
far as I can tell, fixing the problem will also require a user who needs
to print to return to the Stone Age in terms of configuration. I assume
that plugging the printer directly to the computer will not be
considered insecure, but any kind of automated network connectivity is
going to be a problem.

Either way, this is serious and Linux users shouldn't casually dismiss
this. It should also be noted that this is just one of the many such
problems that are going to arise in the future.

--
CrudeSausage
Catholic, paleoconservative, Christ is king