back to article That doomsday critical Linux bug: It's CUPS. May lead to remote hijacking of devices

After days of anticipation, what was billed as one or more critical unauthenticated remote-code execution vulnerabilities in all Linux systems was today finally revealed. In short, if you're running the Unix printing system CUPS, with cups-browsed present and enabled, you may be vulnerable to attacks that could lead to your …

  1. Nate Amsden

    this better be in the kernel

    I saw someone post in another forum speculating that the issue was with CUPS. Since I saw this last night I'm assuming it's somehow a kernel network exploit. If it's anything but that, really this will end up being another super over hyped thing.

    Saying "every linux system in the past decade", the only thing those have in common is the various kernels. Obviously not an SSH or Apache, or whatever service exploit. If it does end up being with CUPS then that will be one of the biggest security jokes of the past decade, as only a fraction of 1% of linux systems run CUPS.

    so, like others, I await the truth to be revealed. Assuming it is a kernel network thing I have to wonder if such an exploit is mitigated by means of passing the traffic through another device such as a firewall, especially if that firewall is running a kernel that is NOT linux.

    I do recall I think in the late 90s there being one or two or more kernel bugs similar to Windows' "ping of death" though it wasn't a RCE, just a system crash...though maybe am remembering wrong.

    1. DS999 Silver badge

      Re: this better be in the kernel

      Assuming it is a kernel network thing I have to wonder if such an exploit is mitigated by means of passing the traffic through another device such as a firewall

      That's fine for corporate systems, but some sort of network based remote p0wn of Linux that didn't depend on an open port (i.e. OpenSSH/CUPS whatever type exploit) would be a major disaster for home users everywhere. Just about every one of us has some sort of Linux based device that connects their home network to their cable/fiber/whatever provider. If all I need is an IPv4 address to send some sort of magic packet(s) to that p0wns your device, I'm inside your network and other exploits would allow leveraging that for almost anything.

      The only way I could imagine a 9.9 would be if this is what it is - a network packet that can p0wn any reachable Linux system even with no ports open and full firewall enabled. But I suspect it is less, and everyone is going to laugh at this single alarmist source who claims a 9.9 if it is something stupid like a CUPS exploit.

      The worst thing about such a Linux based attack that allowed p0wn everyone's cable modem and wireless router is that the large majority of that equipment is no longer getting updates, so this would be a "gift that keeps on giving" for years and years.

      EDIT: oh and I see below it is CUPS. This is a nothingburger, I hope everyone in the network security business remembers this guy's name and puts him on the "never hire" list, because he's a complete moron getting everyone worked up about something that wouldn't rate a single mention on sites like the Register if it wasn't for this Chicken Little fool.

      1. cyberdemon Silver badge
        Alert

        Re: this better be in the kernel

        As mentioned below by @jailbird, it could be a serious vulnerability reported at the same time and by the same person as a 'nothingburger', which if true, would be pretty rotten of him

        But I hope you are right, in which case I fully agree with your sentiment

      2. Sam Liddicott

        Re: this better be in the kernel

        But who gave it the 9.9? Not the "alarmist" - he used the Redhat engineer assessment of 9.9 to get wider attention without which the developers were not taking it seriously.

        Another bug stricken from the TLAs list of universal exploits.

    2. doublelayer Silver badge

      Re: this better be in the kernel

      There are a few services that I would accept as included in "every linux system in the past decade" even if they're not the kernel. It wouldn't be literally every system, but if it was something that ran on most of them, I'd still accept it. In that list I might include SSH, iptables (related services rather than the binary that iptables typically refers to), Systemd, or the very common core libraries. If, for example, someone managed to get a bug into glibc which somehow attached to any network stream established by a program that used glibc, then that would be pretty bad even though there are some Linux systems that don't use it. To qualify as every one in the last decade, though, it couldn't have been a recent regression.

      CUPS is not in that list.

      1. Blazde Silver badge
        Trollface

        Re: this better be in the kernel

        CUPS was one of the true delights of Capture The Flag games 20 years ago. Great to see it's still delivering.

        Maybe time for a rewrite in Rust.

        -> Troll face for obvious reasons. I am only half-joking but this seems like logic errors & lack of input sanitisation which Rust wouldn't help much with

        1. Alan Brown Silver badge

          Re: this better be in the kernel

          Yup - and cups-browsed has been discouraged for at least a decade due to its lack of security and dependence on UDP

  2. Creslin

    Its confirmed to be cups-browsed

    The original tweeter `evilsocket` and the repo maintainer are openly discussing it here on github

    https://github.com/OpenPrinting/cups-browsed/issues/36

    workaround (for now)

    systemctl stop cups-browsed

    systemctl disable cups-browsed

    1. Alan J. Wylie

      Re: Its confirmed to be cups-browsed

      If it is cups-browsed, then I've got nothing to worry about. It's [N]ot installed. And no server I've ever managed has had it (or cups) installed either. "all GNU/Linux systems (plus others)"? Hardly.

      [I] net-print/cups (2.4.7-r2@06/02/24): The Common Unix Printing System

      [N] net-print/cups-bjnp (2.0.3-r1): CUPS backend for canon printers using proprietary USB over IP BJNP protocol

      [N] net-print/cups-browsed (2.0.0): helper daemon to browse for remote CUPS queues and IPP network printers

      [I] net-print/cups-filters (2.0.0-r1@04/06/24): Cups filters

    2. jailbird

      Re: Its confirmed to be cups-browsed

      I wonder if this is a separate issue. The cups bug says it is a DoS, while the Tweet for this 9.9 says it's a RCE.

      1. GBE

        Re: Its confirmed to be cups-browsed

        I wonder if this is a separate issue. The cups bug says it is a DoS, while the Tweet for this 9.9 says it's a RCE.

        Exactly.

        And in the scope of "things that run Linux", the ones running cups-browsed comprise approximately 0%.

        A DoS attack on cups-browsed doesn't sound anything at all like what the original tweet is describing.

        1. Anonymous Coward
          Anonymous Coward

          Re: Its confirmed to be cups-browsed

          Linux Mint 21.3 defaults to running it (mine did). So it's apparently not quite 0%...

      2. Creslin

        Re: Its confirmed to be cups-browsed

        Pretty sure its cups-browsed - if read the git thread `evilsocket` is annoyed at the git maintainer as some of his recent patches are fixing the main, not ddos, issue.

        Here is the commit with part fix to the RCE, checking attribute types are correct.

        https://github.com/OpenPrinting/cups/commit/96b3bdf010e78880f5764e5032720379aa1116df

    3. tooltalk

      Re: Its confirmed to be cups-browsed

      These shouldn't have been enabled by default in the first place. I tried to remove all cups* package on my Ubuntu laptop last year, but couldn't all because of some wad load of dependencies. Then upgraded to 22.04 a few months ago and discovered yesterdday it was draining my laptop battery hogging CPU time.

    4. James Anderson Silver badge

      Re: Its confirmed to be cups-browsed

      Thanks for the tip.

      Running a vanilla Mint/Cinnamon desktop and was surprised to see I was running cups-browsed even though I have no printer attached ( print over WiFi !)

      So yes it is very likely that thousands of Linux desktops are running an unnecessary copy of this daemon.

      1. phuzz Silver badge

        Re: Its confirmed to be cups-browsed

        I have no printer attached ( print over WiFi !)

        cups-browsed is for adding networked printers automatically, and that includes wifi networks. You'd actually be safer with your printer connected via USB.

  3. cyberdemon Silver badge
    Black Helicopters

    Report to full disclosure in three weeks??

    WTF? Even if it could be fixed immediately, we need time to patch it.

    What, other than massaging a wannabe supervillain ego and causing global panic, could be his reason for going full disclosure so early?

    Icon: I'm sure he'll be listening out for this for the next few hours at least

    EDIT: OK, if it's 'just' CUPS-browsed as alluded to above, then he's just overhyping it. Hardly "Every Linux system" as claimed (which would suggest that my router/firewall is probably vulnerable too)

    1. Anonymous Coward
      Anonymous Coward

      Re: Report to full disclosure in three weeks??

      You would be amazed at how many home/soho routers have a print server on them so you can share your USB printer on the network....

      1. cyberdemon Silver badge

        Re: Report to full disclosure in three weeks??

        Yes although -one would hope- the print server ports are not exposed to the 'WAN' interface.

        1. Steven Raith

          Re: Report to full disclosure in three weeks??

          (AC from above)

          Hope indeed.....

          1. ethindp

            Re: Report to full disclosure in three weeks??

            These are routers. Are we really going to hope that their print servers aren't on the public WAN? I guarantee you they are, we all know where security is on the list of priorities of most routers, sadly...

      2. Lee D Silver badge

        Re: Report to full disclosure in three weeks??

        And I very much doubt any of them are running a full CUPS install.

    2. david 12 Silver badge

      Re: Report to full disclosure in three weeks??

      after seemingly becoming frustrated with the handling of his vulnerability reports by CUPS developers

      Was this part of the original article that was patched in subsequent releases?

      Down at the bottom of the article, it indicates that "has now openly disclosed" only followed after vendor disclosure was leaked to the internet, where it's been under public discussion for a couple of days.

    3. DS999 Silver badge

      Re: Report to full disclosure in three weeks??

      Even if it could be fixed immediately, we need time to patch it

      Linux is open source, unless you're only planning on patching vendor Linuxes like Redhat I'm not sure how you would keep the source code change for the patch secret. How would Google patch Android for instance - they can't patch the base kernel with Google Play that has to come from the phone's OEM and I think via the carrier as well. They have versions all over the map even if Google wanted to deliver them a binary that's simply not practical. Once you have delivered a source fix to hundreds of Android OEMs and shady carriers it is going to be "full disclosure" but only to bad guys who will bribe (or have infiltrated) one or more of those.

      1. doublelayer Silver badge

        Re: Report to full disclosure in three weeks??

        The general policy is to release the patch, but not talk about it except in release notes. Attackers have to monitor for code changes to see that a bug exists if they hadn't already found it themselves. Once it is available, then you tell people about the vulnerability and tell them to patch. Once people who see advisories and patch have had a bit to do that, then you release the proof of concept code. There are times when being ignored for long enough justifies announcing anyway, but three weeks while discussions on Github occur is not the same thing.

  4. markrand
    Headmaster

    WTF is a WiFi router?

    I have a router. I have a (Cisco) Wireless LAN Controller. I have WiFi access points. What is a WiFi router, other than a made up thing?

    1. cyberdemon Silver badge
      Holmes

      Re: WTF is a WiFi router?

      It's a consumer-level device, very popular among the proletariat, which combines these functions into the one device, m'lud.

      1. David 132 Silver badge
        Happy

        Re: WTF is a WiFi router?

        Oh, to facilitate them in listening to their "popular beat combos"?

      2. Scott 26

        Re: WTF is a WiFi router?

        I read that in Paul Merton's voice talking to Ian Hislop

        I hope that was the intention!

    2. GBE

      Re: WTF is a WiFi router?

      It's a combination of a router/firewall and a WAP. They're very, very common in residential installations.

      And lots of them run Linux.

      1. williamyf

        Re: WTF is a WiFi router?

        There are ones which include the (Cable/ADSL) modem as well.

    3. Lee D Silver badge

      Re: WTF is a WiFi router?

      It's a router. That has wifi. Like almost every house in the country now has.

      It literally routes as its main purpose.

      It literally has an integrated wifi interface as one of its main network interfaces.

      What more insight do you require?

    4. Anonymous Coward
      Anonymous Coward

      Re: WTF is a WiFi router?

      By the way, you got all the downvotes not for asking a question, but for asking a question you obviously knew the answer to, as a way to sound pedantically smart.

      HTH.

      1. markrand

        Re: WTF is a WiFi router?

        Not to sound smart, but to point out that router (level 3) doesn't include switch/access point(level 2). Basic knowledge which seems to have been perverted by public ignorance.

        '

  5. williamyf
    Trollface

    1.) CUPS started in 1999, and yet, not enough eyes.

    2.) If this was in windows, we would be asking: What kind of security model allows a userpace program to grant RCE into the sysytem as root? And yet, here we are...

    1. cyberdemon Silver badge
      Devil

      Have you seen the Windows networked-printer driver model? It's roughly as follows:

      "Hi, do you have any printers?" > "Yes, here's a list." > "Hmm, I don't seem to have a driver for that one" > "No problem, here's a driver, load it into your kernel" > "Okay"

    2. Nate Amsden

      https://www.theverge.com/2021/7/2/22560435/microsoft-printnightmare-windows-print-spooler-service-vulnerability-exploit-0-day

      (note: from 2021)

      "Microsoft is warning Windows users about an unpatched critical flaw in the Windows Print Spooler service. The vulnerability, dubbed PrintNightmare, was uncovered earlier this week after security researchers accidentally published a proof-of-concept (PoC) exploit. While Microsoft hasn’t rated the vulnerability, it allows attackers to remotely execute code with system-level privileges, which is as critical and problematic as you can get in Windows."

      this CUPS thing is a joke. Here I was worried about things like network switches, storage arrays, firewalls, web servers. My local linux laptop runs cups (though I have no printers), I manage roughly 800 other linux systems at work and not one of them has ever had CUPS installed.

      1. Anonymous Coward
        Anonymous Coward

        Aye, same boat here - nowt in 'my estate' (some 200 boxes) has CUPS on it.

        But it's getting enough press that customers might ask, so it's worth having a read through the blog to get the details.

        It's quite an interesting little exploit chain, even if it's not quite as widespread as the dev thinks (possibly overestimating how many systems have CUPS installed - basically all desktops out of the box, but not many servers unless you explicitly choose it/set it up - although cheap routers with USB sharing might be at risk, especially if they have a shitty uPnP implementation...).

        It's out there enough in the press that I've scrawled up a quick response to any clients who ask about it, and to advise our desktop linux users to triple check their firewalls are set up in such a way as to effectively defeat any exploits that come out, till it gets patched.

        Better safe than sorry, especially as some of them are out and about a bit on public networks etc....

        1. Anonymous Coward
          Anonymous Coward

          common enough

          it is pulled in with a default debian desktop image, with gnome, kde, xfce, etc...

          fedora? yes sir, it is included in silverblue so I would guess it is in the default desktop image of fedora as well

    3. Lee D Silver badge

      CUPS was sold out to Apple in about 2007 and has been going steadily downhill ever since.

      It *used* to be a great source of universal drivers for literally every printer that you could imagine and it would "just work".

      It since became a thing that Apple use to print on MacOS on their supported printers and sod-the-rest.

      The guy who sold it to Apple then left Apple, and then forked the code and is remaking it, but I don't think that fork is yet mainstream.

      It's yet-another example of what happens when you let a big business buy up a core open-source product and its developers.

      1. Brewster's Angle Grinder Silver badge

        Now I'm going gray, "getting bought out, forking, and releasing under a new name" is about as good a business model as most open source can hope for. (Please, Apple, buy out one of my tools!)

  6. Anonymous Coward
    Anonymous Coward

    Judging...

    If it is truly that serious, and he's getting that much push back from the developer, it must be systemd. But thankfully that doesn't affect every single Linux device, just most of them. The sane systems don't use it.

    1. GBE

      Re: Judging...

      If it is truly that serious, and he's getting that much push back from the developer, it must be systemd. But thankfully that doesn't affect every single Linux device, just most of them.

      Nope, most Linux systems don't use systemd. Remeber: most Linux systems are phones. And they don't use systemd.

  7. Alan J. Wylie

    This on twitter at 19:00 UTC. CUPS is one of Openprinting's projects.

    <cite>

    Simone Margaritelli @evilsocket

    Mark this. 1 hour to go.

    https://openprinting.github.io/codeofconduct/

    </cite>

    1. cyberdemon Silver badge
      Thumb Up

      Good. So the so-called "doomsday" vulnerability is hopefully just print-server related

      In an hour, he'll learn the price of trolling the whole tech sector

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Best add Canonical and Red Hat to that list - they're the ones who rated it a 9.9, not the researcher. They're unlikely to apply that to something of such comparatively limited scope.

        Suppose we'll find out in

        *checks watch*

        Five minutes.

        As a reminder, Heartbleed was a 7.5...

    2. Anonymous Coward
      Anonymous Coward

      Jia Tan?

      any relation to Jia Tan by any chance?

  8. TrevorH

    The issue linked is to one that is public because it appears to be less severe. It mentions other fixes to libcupsfilters and libppd which are not public so are presumably more severe. I am dubious whether these will end up being as severe as the hype makes out.

    1. cyberdemon Silver badge
      Pint

      I suppose we'll find out in 18 minutes.

      I do wish El Reg would update the article to add the CUPS link though, as it seems a bit sensational without it, but I suppose we were all too lazy to ping their corrections@ inbox

      1. martinusher Silver badge

        Where would a modern piece of journalism be without its element of 'instilling panic'? It would be too much to hope that you'd just get a piece along the lines of "Problem found with CUPS due to xxxx causing yyyyy. Fix in progress but for now as with anything else on your systems if you're not intending to use it turn it off / remove it". It just lacks the je ne sais quoi of "The End Of The World As We Know It Is Upon Us!!!!".

  9. Creslin

    Full disclosure has been released - its cups-browsed, link in body.

    https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840ee1 << disclosure

    Released early as the whole world figured out it was cups-browsed.

    edit: CVEs

    CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.

    CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.

    CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.

    CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.

    My personal take is whilst thankful for the find, the OP `evilsocket` laid so many breadcrumbs describing the vector and cloning cups-browsed to his repo finding recent commits to cups-browsed became trivial.

    https://github.com/OpenPrinting/cups/commit/96b3bdf010e78880f5764e5032720379aa1116dfts

    TLDR; browsed lack of sanitizing attributes in IPP - as addressed in the commit above.

    ```

    printer-privacy-policy-uri = [https://www.google.com/"\n*FoomaticRIPComman…|https://www.google.com/%22%5Cn*FoomaticRIPCommandLine]: "echo 1 > /tmp/PWNED"\n*cupsFilter2 : "application/pdf application/vnd.cups-postscript 0 foomatic-rip

    ```

    1. Creslin

      Re: Full disclosure has been released - its cups-browsed, link in body.

      OP writeup

      https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

      1. Mage Silver badge
        Facepalm

        Re: Full disclosure has been released - its cups-browsed, link in body.

        So can't be a doomsday 9.9

        Meh.

        Unless Drive by 3rd party evil js via browser can work it? If so another reason to by default block all 3rd scripts, Though CloudFlare thinks you are a bot when you do that. Idiots.

        1. sten2012

          Re: Full disclosure has been released - its cups-browsed, link in body.

          It's a remote code execution with no authentication. Definitely a 9.9

          CVSS base score doesn't care how widespread software is.

          Heartbleed was serious and widespread but an information disclosure that in and of itself doesn't offer RCE.

          A lot of people here are confused about the scope and utilisation of CVSS base scores.

          But yes. There was much hype. Over a serious but not completely ubiquitous issue

          1. vtcodger Silver badge

            Re: Full disclosure has been released - its cups-browsed, link in body.

            Am I the only person that recalls that the way you manually control printers with CUPS is to point a browser at port 631 on the computer running CUPS? MAYBE that's not that big a deal for some reason or other. But still given the fact that most users allow Javascript in websites because most websites won't work without it. And the fact that Javascript appears to be way too capable to be compatible with security, there may be some substance here.

            I reckon we'll find out.

            1. This post has been deleted by its author

        2. vtcodger Silver badge

          Re: Full disclosure has been released - its cups-browsed, link in body.

          My understanding is that Cloudflare's sole function is to make sure that nothing involving the internet works quite right, They seem to be pretty good at that.

        3. Antron Argaiv Silver badge

          Re: Full disclosure has been released - its cups-browsed, link in body.

          Coincidentally? My Mint system downloaded and installed a CUPS update yesterday.

  10. GBE

    Is that all?

    There people who enable cups-browsed?

    I've never seen it running on any Linux machine I've used during the past 30-odd years.

    That's got to be a tiny, tiny percentage of Linux systems. Hardly "affects all Linux systems and distros" as originally claimed.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Is that all?

      FWIW I'm using Debian 12.7 right now (desktop Linux FTW) and I not only had cups-browsed installed, I just removed it.

      C.

      1. Doctor Syntax Silver badge

        Re: Is that all?

        "I'm using Debian 12.7 right now (desktop Linux FTW)"

        Unsurprisingly Devuan also has it installed. Check by stopping it. Can I still print to both networked printers? Yes. Remove it. No sweat.

      2. Ian Johnston Silver badge

        Re: Is that all?

        It's on all four of my Linux Mint machines. Since there is no way of getting at port 631 from the outside world, I'm leaving it in place.

      3. Alan Brown Silver badge

        Re: Is that all?

        You'll probably find that your local network printers have disappeared from CUPS

        Cups-browsed is useful in a single segement SOHO LAN but once you start routing IPP traffic you're better off disabling it (Given so many windows issues, it's a good idea to filter as much as possible and use something like Papercut in a routed environment. I ended up putting our printers in their own segment, with a dedicated print server running papercut)

        Printing is a major migraine inducer in routed networks. At home it usually "just works" but as soon as you scale past that things get very hairy very quickly - and unauthorised printers are the most common geurilla IT installation (802.1x ethernet authentication is your friend)

      4. andy the pessimist

        Re: Is that all?

        I have just done the same as you.

        Do I need to block any ports?

        Thanks in advance.

    2. cyberdemon Silver badge

      Re: Is that all?

      The OP (evilsocket) claims to have seen 300k linux systems with open CUPS ports on the Internet using shodan.io. But how many are real and how many are honeypots, who knows

      1. BinkyTheMagicPaperclip Silver badge

        Re: Is that all?

        300K is not a lot in terms of the Internet. Yes, it's a lot of systems, yes it's a problem, but it's a drop in the ocean compared with all Linux systems or the majority of Unix systems.

        At least the author has the grace to question the 9.9 rating. 9.9 as it's easily exploited, but only if you're running a service many Unix systems aren't.

        Having said that, if you're printing, you're probably using CUPS. I've tried looking at non CUPS solutions for printing and painful doesn't even begin to describe the documentation and moving parts.

        1. GBE

          Re: Is that all?

          Having said that, if you're printing, you're probably using CUPS.

          Yes, but you don't need to have cups-browsed running to use CUPS. I've been using CUPS for decades and have never enabled cups-browsed.

          Sheesh. Kids these days and their silly auto-magical auto-discovery stuff!

          1. John Brown (no body) Silver badge

            Re: Is that all?

            Yeah, soon as I read "cups" I immediately checked my Cups running systems and none have cups-browsed. And it's pretty much a default install on FreeBSD. Neither my KDE or XFCE builds, bit with Cups installed by me as meta-ports pulled in cups-browesd. SO it's not only entirely possible to not have it, it seems it's installed only by some (most?) Linux "distros" trying to be all things to all users. Maybe this should be a wake-up call to "distro" maintainers to think more carefully about throwing everything including the kitchen sink into a default install and instead maybe ask the users at install time what type of install they want. Yeah, have recommended types of install that groups certain programs, like some used to have "desktop" and "server" options) and "distros" aimed at certain type of users, but I suspect most desktop users just want to be able to choose things like browser, email client, integrated or separate office-type programs etc and don't want all the options installed by default. It feels like Linux "distros" are a bit too "Windows-like" these days, making the choices on behalf of the users in a bid to get more users by aiming at casual users coming from Windows and worried those users might be frightened of being asked to make choices.

            Even back in the day, when Ubuntu used to have quite a few different themed distros, I remember EdUbuntu basically throwing every desktop app that could be conceived as being "educational" into the "distro", which made it bloody awkward for me to do a quick build for a grandchild that wouldn't be full of stuff well outside of his then 6 year old skill level. That was a prime opportunity to have an installer that allowed for an age selection, even if just to "hide" the irrelevant stuff.

      2. breakfast

        Re: Is that all?

        I'd be very surprised if there were within an order of magnitude of 300k honeypots.

    3. FlippingGerman

      Re: Is that all?

      My mini-pc home server running Ubuntu had it installed and running. My Raspberry Pis appear not to.

    4. Claptrap314 Silver badge

      Re: Is that all?

      My devuan 5 box had it installed & running. Uninstalled.

      Our work boxes on AWS running their Ubuntu AMIs don't.

  11. Anonymous Coward
    Anonymous Coward

    You can't get hacked if you don't have it.

    Rocky 8 Desktop default.

    cups-browsed.service - Make remote CUPS printers available locally

    Loaded: loaded (/usr/lib/systemd/system/cups-browsed.service; disabled; vendor preset: disabled)

    Rocky 9 Server not installed by default.

    *YAWN*

  12. Anonymous Coward
    Anonymous Coward

    $ systemctl status cups-browsed

    ● cups-browsed.service - Make remote CUPS printers available locally

    Loaded: loaded (/usr/lib/systemd/system/cups-browsed.service; disabled; vendor preset: disabled)

    Active: inactive (dead)

  13. jake Silver badge

    Mountains, molehills ....

    ... and storms in tea CUPS.

    Gotta love Chicken Little syndrome. Selling column-inches since the advent of the red-top.

  14. Ian Johnston Silver badge

    "Considering this is Linux, the scope of this vulnerability is massive and successful exploitation could be devastating — everything from your Wi-Fi router to the grid keeping the lights on runs on Linux."

    I don't think my router has CUPS installed.

    1. Claptrap314 Silver badge

      Best to double-check though...

    2. phuzz Silver badge

      I know my Asus router allows plugging a USB printer in, to use it as a networked printer, and because the router is Linux based, I assume it's using CUPS for that.

      (I don't have a printer attached to mine, and I can't check right now if it has CUPS running.)

      So, yeah, a home router might well be running CUPS.

      1. cyberdemon Silver badge
        Unhappy

        Re: So, yeah, a home router might well be running CUPS.

        Good luck patching that!

  15. DS999 Silver badge
    Mushroom

    What a fucking moron

    Waaaah waaaah waaah!!! CUPS developers won't pay enough attention to my very minor bug so I'm going to cause a shitstorm and make the whole world believe I've stumbled upon the biggest Linux bug ever!

    I hope everyone remembers this guy's name and puts him on the permanent NEVER HIRE list as a result. I wouldn't hire him to pick up dogshit by hand - the shit would be tainted by having him touch it!

    1. Anonymous Coward
      Anonymous Coward

      Re: What a fucking moron

      If you think that the ability to run arbitrary code remotely - without authentication - is in any way a "very minor" problem, please provide your full name, because I certainly never want to hire you.

      1. Lee D Silver badge

        Re: What a fucking moron

        "remotely" being "if you're on the same local network as a CUPS server with no safeguards" in this instance.

        Because who the hell is exposing CUPS ports "remotely" (which when we're talking about serious flaws inducing such panic I take to mean - from over the Internet, not "if you're on the same LAN").

        1. Anonymous Coward
          Anonymous Coward

          Re: What a fucking moron

          On any network bigger than a SOHO or a small branch office, assuming your LAN is clean and safe is usually the first point in the root cause analysis as to why your network got completely overrun by something nasty.

          Because there's no chance that a bad actor inside your network could kick something like this off, of course, and use the remote code execution to run something nastier than dumping a 'hello world' into a temp folder, is there?

          Is there?

          1. John Brown (no body) Silver badge

            Re: What a fucking moron

            True, but if they are already in your network, you already have a serious problem and it's highly likely they will find some way further in anyway. This just likely makes it that much easier and quicker *once they are already in*

        2. doublelayer Silver badge

          Re: What a fucking moron

          And if someone nasty gets on your local network? For example, getting one device in your home or office network with malware on it which can now spread to any computer with this installed and run as root, you're fine with this? It only becomes a problem when the attacker can skip the first part?

          The pervasiveness of the vulnerable component was overstated. The badness of the bug was not. I don't want that running on my machines. Fortunately for me, it wasn't. That is not the same thing as this not being important at all.

  16. BobBob

    Patch available

    It looks like a patch is available, at least for Ubuntu: https://ubuntu.com/security/notices/USN-7043-1

    1. Neil Barnes Silver badge

      Re: Patch available

      Mint threw an update at me this morning - which started the service:

      ● cups-browsed.service - Make remote CUPS printers available locally

      Loaded: loaded (/lib/systemd/system/cups-browsed.service; enabled; vendor p>

      Active: active (running) since Fri 2024-09-27 09:04:13 CEST; 1min 25s ago

  17. Bebu
    Holmes

    Network Printers?

    Most network printers have an IPP service which I would wonder whether the code was CUPS derived.

    In environments where the "inside" is scarcely less grubby* than the unwashed internet these vulnerabilities are a bit more serious.

    * think (but not exclusively) University (College) networks.

    1. Mage Silver badge

      Re: Network Printers?

      I have ahavi and cups-browsed disabled as I only manually add and configure a printer (without browser). The cups still works to print on my networked printer.

      First thing I do with any new/replacement router is make sure no inward ports or upnp.

  18. Inkey
    Megaphone

    mint updates

    There seems to be an update on Mint and presumably other ubuntu distros.... available now

    oh wow doomsday averted?

    1. Mage Silver badge

      Re: mint updates

      Yes, seeing update now. Note the cups-browsed is an extra only for web / browser configuration. It's not needed and I've never used it in 25 years. However is it the patch for the discussed issue?

      cups (2.4.1op1-1ubuntu4.11) jammy-security; urgency=medium

      * SECURITY UPDATE: PPD injection issues (LP: #2082335)

      - debian/patches/sec-202409-1.patch: validate URIs, attribute names,

      and capabilities in cups/ppd-cache.c, scheduler/ipp.c.

      - debian/patches/sec-202409-2.patch: sanitize make and model in

      cups/ppd-cache.c.

      - debian/patches/sec-202409-3.patch: PPDize preset and template names

      in cups/ppd-cache.c.

      - debian/patches/sec-202409-4.patch: quote PPD localized strings in

      cups/ppd-cache.c.

      - debian/patches/sec-202409-5.patch: fix warnings in cups/ppd-cache.c.

      - CVE number pending

      -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 26 Sep 2024 07:27:55 -0400

      And

      cups-filters (1.28.15-0ubuntu1.3) jammy-security; urgency=medium

      * SECURITY UPDATE: PPD injection issues (LP: #2082335)

      - debian/patches/sec-202409-1.patch: validate response attributes

      before return in cupsfilters/ipp.c.

      - debian/patches/sec-202409-2.patch: disable legacy CUPS protocol in

      configure.ac.

      - CVE number pending

      -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 26 Sep 2024 10:21:15 -0400

      1. Mage Silver badge
        Boffin

        Re: mint updates

        Be sure to NOT replace the "/etc/cups/cups-browsed.conf"

        Mine disables network stuff?

        --- /etc/cups/cups-browsed.conf 2022-07-20 00:16:25.163243798 +0100

        +++ /etc/cups/cups-browsed.conf.dpkg-new 2024-09-26 15:21:15.000000000 +0100

        @@ -38,8 +38,7 @@

        # Which protocols will we use to discover printers on the network?

        # Can use DNSSD and/or CUPS and/or LDAP, or 'none' for neither.

        -BrowseRemoteProtocols none

        -# dnssd cups

        +BrowseRemoteProtocols dnssd

        # Which protocols will we use to broadcast shared local printers to the network?

        @@ -309,7 +308,7 @@

        # Set HTTP timeout (in seconds) for requests sent to local/remote

        # resources Note that too short timeouts can make services getting

        -# missed when they are present and operations be unneccessarily

        +# missed when they are present and operations be unnecessarily

        # repeated and too long timeouts can make operations take too long

        # when the server does not respond.

        @@ -318,7 +317,7 @@

        # Set how many retries (N) should cups-browsed do for creating print

        # queues for remote printers which receive timeouts during print queue

        -# creation. The printers which are not successfuly set up even after

        +# creation. The printers which are not successfully set up even after

        # N retries, are skipped until the next restart of the service. Note

        # that too many retries can cause high CPU load.

        @@ -553,6 +552,23 @@

        # NewIPPPrinterQueuesShared Yes

        +# How to handle the print queues cups-browsed creates when

        +# cups-browsed is shut down:

        +

        +# "KeepGeneratedQueuesOnShutdown No" makes the queues being

        +# removed. This makes sense as these queues only work while

        +# cups-browsed is running. cups-browsed has to determine to which

        +# member printer of a cluster to pass on the job.

        +

        +# "KeepGeneratedQueuesOnShutdown Yes" (the default) makes the queues

        +# not being removed. This is the recommended setting for a system

        +# where cups-browsed is permanently running and only stopped for short

        +# times (like log rotation) or on shutdown. This avoids the

        +# re-creation of the queues when cups-browsed is restarted, which

        +# often causes a clutter of CUPS notifications on the desktop.

        +

        +# KeepGeneratedQueuesOnShutdown No

        +

        # If there is more than one remote CUPS printer whose local queue

        # would get the same name and AutoClustering is set to "Yes" (the

        # default) only one local queue is created which makes up a

        @@ -648,7 +664,7 @@

        # As DNS-SD service names are unique in a network you can create a

        # cluster from exactly specified printers (spaces replaced by

        -# underscors):

        +# underscores):

        # Cluster hrdep: oldlaser_@_hr-server1 newlaser_@_hr-server2

        @@ -742,3 +758,19 @@

        # shutdown.

        # AutoShutdownTimeout 30

        +

        +# DebugLogFileSize defines the maximum size possible (in KBytes)

        +# of the log files (cups-browsed_log and cups-browsed_previous_logs)

        +# that is created using cups-browsed in the debugging mode.

        +# Setting its value to 0 would turn off any restriction

        +# on the size of the file.

        +

        +# DebugLogFileSize 300

        +

        +# NotifLeaseDuration defines how long the D-BUS subscription created by cups-browsed

        +# in cupsd will last before cupsd cancels it. The default value is 1 day

        +# in seconds - 86400. The subscription renewal is set to happen after half of

        +# NotifLeaseDuration passed. The D-BUS notifications are used for watching over queues

        +# and doing specific actions when a D-BUS notification comes.

        +

        +# NotifLeaseDuration 86400

  19. Steve Graham

    Why would anyone want this?

    cups-browsed: "This daemon browses Bonjour broadcasts of shared remote CUPS printers and makes these printers available locally by creating local CUPS queues pointing to the remote queues."

    So, if some user on your network allows his printer to broadcast Avahi/Bonjour it becomes accessible to everyone else?

    1. Lee D Silver badge

      Re: Why would anyone want this?

      Welcome to Apple's genius addition to the "Common Unix Printing System".

      There's a reason the main CUPS developer later left Apple and then forked his original code.

    2. Alan Brown Silver badge

      Re: Why would anyone want this?

      In a SOHO environment it makes sense

      Printing at home or in small business environments tends to "just work" because of things like this, however the helpers don't scale to routed environments

    3. doublelayer Silver badge

      Re: Why would anyone want this?

      Because printers are somehow still awful to connect to, and to try to help this which sometimes works, they've included lots of hacks to make them automatically discoverable and usable. Otherwise, people who haven't gotten the full printer setup from IT tend to have a hard time using the printers at all unless they're still able to just plug in a USB cable, and sometimes not even then if the operating system can't find or doesn't agree about the driver required. When you consider offices where there is no real IT, or the IT person is not concerned with printers because they got lucky, this automatic setup is often the simplest way to get most of the people printing. That doesn't mean it's the right way, but printers mostly gave up on doing things the right way.

  20. Havin_it
    Black Helicopters

    Whoa, synchronicity

    Just two days ago I decided to toy with cups-browsed on my Gentoo box (you'll be stunned to learn that it is not default-installed there!) because both my home and work printers now allegedly support "driverless printing"/"IPP Everywhere" which to anyone who's installed a printer on Linux was a rather tantalising promise, and browsed + Avahi seem to be the only endorsed way of achieving this.

    In neither case did it work, if by "work" we mean "allow me to print a web page from Firefox on that printer".* So that was as far as that went.

    I've always regarded Avahi/uPnP/DNSSD/Bonjour/mDNS/zeroconf (jeez, pick a name already) as asking for trouble to begin with, but will allow that it's what implementers do with it that you have to watch out for. I can't think of a much better example of doing something really stupid with it than accepting arbitrary, potentially root, code from any old Tom Dick or Kyocera that claims it's a printer.

    I could see this being a useful way of frictionlessly adding a printer *if* used solely as an on-demand, one-shot "scan for printers" function when you actually know of a printer that you expect to find (and what it's probably called) on your network. Having it running permanently is bonkers. A server to handle the vanishingly-infrequent task of configuring another server?

    It wouldn't surprise me if a lot of "user-friendly" desktop distros do enable this by default -- or at least pull it in with CUPS itself -- so I get that a fairly high level of concern is warranted, albeit with the caveats expressed by others.

    [*Not that way it doesn't, but it is actually trivial to add these printers through CUPS's web UI if you know the printer's IP and the seemingly fairly universal format for ipp:// URIs.]

  21. Toastan Buttar

    "Two libraries, one CUPS"

    I laughed so much, I nearly s*at.

  22. Zippy´s Sausage Factory
    Facepalm

    Printing. Why is it always printing?

    1. FrogsAndChips Silver badge

      because it's never lupus.

    2. Paul Herber Silver badge

      It never leaves a paper trail.

  23. Oninoshiko
    Big Brother

    Does noone know how CVSS works?

    CVSS ratings have nothing to do with how many instances of it are out there. They are a rating of how easy it is to exploit and what exploiting gets you:

    In this case:

    It can be exploited remotely

    Without difficulty

    With no user interaction

    To run arbitrary code

    As root

    That's easily in the 9 - 10 out of 10 range.

    As to how widely it is reachable on the open Internet (which again, is beyond the scope of the rating), he got around 400k Linux machines to happily run his benign payload. If I want to build a bot-net, that's not a bad one.

    As to not waiting to disclose, he disclosed because someone had leaked it. Once it's out there for bad-actors, full disclosure is the only responsible thing to do.

    1. cyberdemon Silver badge

      Re: Does noone know how CVSS works?

      > As root

      Are you sure about that last part? Anyone can write to /tmp

      If this was a root exploit, he'd surely have demonstrated something more sensational, such as writing in /etc

      I also thought this required the user to "print" to the fake printer, which is "user interaction"?

      But yes fair enough about disclosure following leak, although I understand he had already said he was going to disclose it at the end of the month, did he say that before or after the leak?

  24. James O'Shea Silver badge

    CUPS seems to be turned off on Macs

    Apparently you have to turn it on, see https://support.magicard.com/solution/enable-cups-web-interface-mac-osx/

    Note that if you want the thing to work, you have to send stuff to port 631, while the fix involves messing with 631. I suspect that there will be... complications.

    I just checked. CUPS is disabled on my main Macs, I may just remove it.

    The possibility exists that if Apple doesn't trust it, others shouldn't either. Just a thought.

    1. AJ MacLeod

      Re: CUPS seems to be turned off on Macs

      I don't trust Apple or their judgement...

  25. FuzzyTheBear
    Pint

    Whatever the politics ..

    We know it's a messy process .. always is .. there's egos that are bruised etc ..

    But it's fixed .. all updates were available late last night and system is patched Linux Mint 22.0 Wilma. Go FOSS

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like