Re: 9.9/10 security vulnerability affecting Linux (and others) set to be revealed on October 6th

On 2024-09-26, CrudeSausage <crude@sausa.ge> wrote:

On 2024-09-26 12:03 a.m., RonB wrote:

On 2024-09-26, CrudeSausage <crude@sausa.ge> wrote:

Worse than Heartbleed, Meltdown or Spectre. According to a GitHub
developer:
>
"From a generic security point of view, a whole Linux system as it is
nowadays is just an endless and hopeless mess of security holes waiting
to be exploited." (kind of like Chris Ahlstrom's body)
>
<https://cybersecuritynews.com/critical-unauthenticated-rce-flaw/>

 
Yet another "catastrophic" Linux security threat that will be fixed within
days.

>
They're working on it and so far coming up with no way of fixing it. I
wouldn't be surprised if there is no solution by October 6th. If that is
the case, you just know that bad actors will be attacking Linux
relentlessly from October 7th on. This looks like the real deal. 9.9/10
is pretty serious when you consider that the aforementioned issues were
rated between 5 and 7 on 10.
>

You realize that Cyber Security News makes their case for existence by
hyperventilating about potential "catastrophic" security threats, right?

>
Perhaps, but the developers on GitHub have been freaking out as well to
a point that Lunduke felt it necessary to bring this problem to light.
Those developers are usually arrogant about their ability to fix such
issues, not this time.

Interestingly enough, since this works through the CUPS system On Unix-based
machines, this also affects MacOS. Odd Cyber Security News didn't mention
that little factlet.

   Summary

   The first of a series of blog posts has been published detailing a
   vulnerability in the Common Unix Printing System (CUPS), which
   purportedly allows attackers to gain remote access to UNIX-based systems.
   The vulnerability, which affects various UNIX-based operating systems,
   can be exploited by sending a specially crafted HTTP request to the CUPS
   service.
  
   Threat Topography

      Threat Type: Remote code execution vulnerability in CUPS service
   
      Industries Impacted: UNIX-based systems across various industries,
      including but not limited to, finance, healthcare, and government
   
      Geolocation: Global, with potential impact on UNIX-based systems
      worldwide
   
      Environment Impact: High severity, allowing attackers to gain remote
      access and execute arbitrary code on vulnerable systems

   Overview

   X-Force Incident Command is monitoring what claims to be the first in a
   series of blog posts from security researcher, Simone Margaritelli,
   detailing a vulnerability in the Common Unix Printing System (CUPS),
   which purportedly can be exploited by sending a specially crafted HTTP
   request to the CUPS service. The vulnerability affects various UNIX-based
   operating systems, including but not limited to, Linux and macOS. The
   vulnerability can be exploited to gain remote access to affected systems,
   allowing attackers to execute arbitrary code and potentially gain
   elevated privileges. X-Force is investigating the disclosure and
   monitoring for exploitation. We will continue to monitor this situation
   and provide updates as available.

   Key Findings

      The vulnerability affects various UNIX-based operating systems,
      including but not limited to, Linux and macOS
   
      All versions of Red Hat Enterprise Linux (RHEL) are affected, but are
      not vulnerable in their default configurations.
   
      The vulnerability can be exploited by sending a specially crafted HTTP
      request to the CUPS service
   
      The vulnerability allows attackers to gain remote access to affected
      systems and execute arbitrary code
   
      The vulnerability has been identified as high severity, with potential
      for significant impact on affected organizations

   Mitigations/Recommendations

      Disable the CUPS service or restrict access to the CUPS web interface
    
      In case your system can’t be updated and you rely on this service,
      block all traffic to UDP port 631 and possibly all DNS-SD traffic
      (does not apply to zeroconf)
    
      Implement additional security measures, such as network segmentation
      and access controls, to limit the spread of the vulnerability
    
      Conduct thorough vulnerability assessments and penetration testing to
      identify and remediate any other potential vulnerabilities
    
      Implement robust incident response and disaster recovery plans to
      mitigate the impact of a potential breach

https://securityintelligence.com/news/fysa-critical-rce-flaw-in-gnu-linux-systems/

And this...

   That doomsday critical Linux bug: It's CUPS. May lead to remote hijacking
   of devices

   No patches yet, can be mitigated, requires user interaction
 
   Thu 26 Sep 2024 // 17:34 UTC
 
   Final update After days of anticipation, what was billed as one or more
   critical unauthenticated remote-code execution vulnerabilities in all
   Linux systems was today finally revealed.

   In short, if you're running the Unix printing system CUPS, with
   cups-browsed present and enabled, you may be vulnerable to attacks that
   could lead to your computer being commandeered over the network or
   internet. The attacks require the victim to start a print job. Do not be
   afraid.

   The bugs were found and privately reported by software developer Simone
   Margaritelli who has now openly disclosed the security weaknesses in
   detail here. This write-up is said to be part one of two or maybe three,
   so expect more info at some point.

   He went public today at 2000 UTC after seemingly becoming frustrated with
   the handling of his vulnerability reports by CUPS developers. No patches
   are available yet. Public disclosure was previously expected to be no
   later than September 30.

   What you need to know for now, according to Margaritelli, is:
    
     Disable and/or remove the cups-browsed service.

     Update your CUPS installation to bring in security updates if or when
     available.

     Block access to UDP port 631 and consider blocking off DNS-SD, too.

     It affects "most" Linux distros, "some" BSDs, possibly Google ChromeOS,
     Oracle's Solaris, and potentially others, as CUPS is bundled with
     various distributions to provide printing functionality.

     To exploit this across the internet or LAN, a miscreant needs to reach
     your CUPS service on UDP port 631. Hopefully none of you have that
     facing the public internet. The miscreant also has to wait for you to
     start a print job.

     If port 631 isn't directly reachable, an attacker may be able to spoof
     zeroconf, mDNS, or DNS-SD advertisements to achieve exploitation.
     Details of that path will be disclosed later, we're promised.

  If you don't have cups-browsed on your system, you're good. If you don't
  need CUPS, consider removing it all from your computer just to be safe. If
  you never print anything, you're probably also good.

  How would a vulnerable system be hijacked? "A remote unauthenticated
  attacker can silently replace existing printers’ (or install new ones) IPP
  URLs with a malicious one, resulting in arbitrary command execution (on
  the computer) when a print job is started (from that computer)," says
  Margaritelli.

https://www.theregister.com/2024/09/26/cups_linux_rce_disclosed/

Not only Macs, but possibly Chromebooks.

I disabled cups-browsed. Guess I'm good. Doomsday averted.

--
“Evil is not able to create anything new, it can only distort and destroy
what has been invented or made by the forces of good.”  —J.R.R. Tolkien