Updated After days of waiting and anticipation, what was billed as one or more critical unauthenticated remote-code execution vulnerabilities in all Linux systems was today finally revealed.
In short, if you’re running the Unix printing system CUPS, including cups-browsed, then you may be vulnerable to attacks that could lead to your computer being commandeered over the network or internet.
The bugs were found and disclosed by software developer Simone Margaritelli who has now openly disclosed the issue in detail here.
What you need to know for now, according to Margaritelli, is:
- Disable and/or remove the cups-browsed service.
- Update your CUPS installation to bring in security updates when available.
- Block access to UDP port 631 and consider blocking off DNS-SD, too.
- It affects “most” Linux distros, “some” BSDs, possibly Google ChromeOS, Oracle’s Solaris, and potentially others, as CUPS is pretty widely included in distributions.
- To exploit this across the internet or LAN, a miscreant just needs to reach your CUPS service on UDP port 631. Hopefully none of you have that facing the public internet anyway.
- If port 631 isn’t available, an attacker may be able to spoof zeroconf, mDNS, or DNS-SD advertisements to achieve exploitation. Details of that path will be disclosed later. In fact, more details are promised.
If you don’t have CUPS and/or cups-browsed on your system, you’re good. If you were already firewalling off CUPS, you’re most likely good.
How would a vulnerable system be hijacked? “A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP URLs with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer),” says Margaritelli.
Take all that info and decide for yourself how at-risk you are, and what steps to take. Margaritelli reckons there are hundreds of thousands of at-risk devices on the public internet.
He previously complained in a social media thread that his bug reports weren’t being taken serious enough, and decided to go fully public after feeling that he was hitting resistance from fellow developers.
He said the issues he found merited a CVSS severity score of 9.9 out of 10, and said Ubuntu-maker Canonical and IBM’s Red Hat had agreed with him on that point. We’re awaiting confirmation from both orgs.
“A vulnerability with a 9.9 CVSS indicates a low complexity to exploit and signs are pointing to the flaw existing at the core of the system,” Sonatype CTO Brian Fox told The Register prior to today’s disclosure.
“Considering this is Linux, the scope of this vulnerability is massive and successful exploitation could be devastating — everything from your Wi-Fi router to the grid keeping the lights on runs on Linux.”
This is now a breaking news story. It was last revised at 2050 UTC following disclosure of the bugs. We will continue to update it as needed. Check back soon.