Re: 9.9/10 security vulnerability affecting Linux (and others) set to be revealed on October 6th

Liste des GroupesRevenir à col advocacy 
Sujet : Re: 9.9/10 security vulnerability affecting Linux (and others) set to be revealed on October 6th
De : recscuba_google (at) *nospam* huntzinger.com (-hh)
Groupes : comp.os.linux.advocacy
Date : 27. Sep 2024, 18:05:59
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <vd6oln$nlc8$3@dont-email.me>
References : 1 2 3 4 5
User-Agent : Mozilla Thunderbird
On 9/27/24 8:40 AM, CrudeSausage wrote:
On 2024-09-27 12:17 a.m., RonB wrote:
On 2024-09-26, CrudeSausage <crude@sausa.ge> wrote:
On 2024-09-26 12:03 a.m., RonB wrote:
On 2024-09-26, CrudeSausage <crude@sausa.ge> wrote:
Worse than Heartbleed, Meltdown or Spectre. According to a GitHub
developer:
>
"From a generic security point of view, a whole Linux system as it is
nowadays is just an endless and hopeless mess of security holes waiting
to be exploited." (kind of like Chris Ahlstrom's body)
>
<https://cybersecuritynews.com/critical-unauthenticated-rce-flaw/>
>
Yet another "catastrophic" Linux security threat that will be fixed within
days.
>
They're working on it and so far coming up with no way of fixing it. I
wouldn't be surprised if there is no solution by October 6th. If that is
the case, you just know that bad actors will be attacking Linux
relentlessly from October 7th on. This looks like the real deal. 9.9/10
is pretty serious when you consider that the aforementioned issues were
rated between 5 and 7 on 10.
>
You realize that Cyber Security News makes their case for existence by
hyperventilating about potential "catastrophic" security threats, right?
>
Perhaps, but the developers on GitHub have been freaking out as well to
a point that Lunduke felt it necessary to bring this problem to light.
Those developers are usually arrogant about their ability to fix such
issues, not this time.
>
Interestingly enough, since this works through the CUPS system On Unix-based
machines, this also affects MacOS. Odd Cyber Security News didn't mention
that little factlet.
>
    Summary
>
    The first of a series of blog posts has been published detailing a
    vulnerability in the Common Unix Printing System (CUPS), which
    purportedly allows attackers to gain remote access to UNIX-based systems.
    The vulnerability, which affects various UNIX-based operating systems,
    can be exploited by sending a specially crafted HTTP request to the CUPS
    service.
    Threat Topography
>
       Threat Type: Remote code execution vulnerability in CUPS service
       Industries Impacted: UNIX-based systems across various industries,
       including but not limited to, finance, healthcare, and government
       Geolocation: Global, with potential impact on UNIX-based systems
       worldwide
       Environment Impact: High severity, allowing attackers to gain remote
       access and execute arbitrary code on vulnerable systems
>
    Overview
>
    X-Force Incident Command is monitoring what claims to be the first in a
    series of blog posts from security researcher, Simone Margaritelli,
    detailing a vulnerability in the Common Unix Printing System (CUPS),
    which purportedly can be exploited by sending a specially crafted HTTP
    request to the CUPS service. The vulnerability affects various UNIX-based
    operating systems, including but not limited to, Linux and macOS. The
    vulnerability can be exploited to gain remote access to affected systems,
    allowing attackers to execute arbitrary code and potentially gain
    elevated privileges. X-Force is investigating the disclosure and
    monitoring for exploitation. We will continue to monitor this situation
    and provide updates as available.
>
    Key Findings
>
       The vulnerability affects various UNIX-based operating systems,
       including but not limited to, Linux and macOS
       All versions of Red Hat Enterprise Linux (RHEL) are affected, but are
       not vulnerable in their default configurations.
       The vulnerability can be exploited by sending a specially crafted HTTP
       request to the CUPS service
       The vulnerability allows attackers to gain remote access to affected
       systems and execute arbitrary code
       The vulnerability has been identified as high severity, with potential
       for significant impact on affected organizations
>
    Mitigations/Recommendations
>
       Disable the CUPS service or restrict access to the CUPS web interface
       In case your system can’t be updated and you rely on this service,
       block all traffic to UDP port 631 and possibly all DNS-SD traffic
       (does not apply to zeroconf)
       Implement additional security measures, such as network segmentation
       and access controls, to limit the spread of the vulnerability
       Conduct thorough vulnerability assessments and penetration testing to
       identify and remediate any other potential vulnerabilities
       Implement robust incident response and disaster recovery plans to
       mitigate the impact of a potential breach
>
https://securityintelligence.com/news/fysa-critical-rce-flaw-in-gnu- linux-systems/
>
And this...
>
    That doomsday critical Linux bug: It's CUPS. May lead to remote hijacking
    of devices
>
    No patches yet, can be mitigated, requires user interaction
    Thu 26 Sep 2024 // 17:34 UTC
    Final update After days of anticipation, what was billed as one or more
    critical unauthenticated remote-code execution vulnerabilities in all
    Linux systems was today finally revealed.
>
    In short, if you're running the Unix printing system CUPS, with
    cups-browsed present and enabled, you may be vulnerable to attacks that
    could lead to your computer being commandeered over the network or
    internet. The attacks require the victim to start a print job. Do not be
    afraid.
>
    The bugs were found and privately reported by software developer Simone
    Margaritelli who has now openly disclosed the security weaknesses in
    detail here. This write-up is said to be part one of two or maybe three,
    so expect more info at some point.
>
    He went public today at 2000 UTC after seemingly becoming frustrated with
    the handling of his vulnerability reports by CUPS developers. No patches
    are available yet. Public disclosure was previously expected to be no
    later than September 30.
>
    What you need to know for now, according to Margaritelli, is:
      Disable and/or remove the cups-browsed service.
>
      Update your CUPS installation to bring in security updates if or when
      available.
>
      Block access to UDP port 631 and consider blocking off DNS-SD, too.
>
      It affects "most" Linux distros, "some" BSDs, possibly Google ChromeOS,
      Oracle's Solaris, and potentially others, as CUPS is bundled with
      various distributions to provide printing functionality.
>
      To exploit this across the internet or LAN, a miscreant needs to reach
      your CUPS service on UDP port 631. Hopefully none of you have that
      facing the public internet. The miscreant also has to wait for you to
      start a print job.
>
      If port 631 isn't directly reachable, an attacker may be able to spoof
      zeroconf, mDNS, or DNS-SD advertisements to achieve exploitation.
      Details of that path will be disclosed later, we're promised.
>
   If you don't have cups-browsed on your system, you're good. If you don't
   need CUPS, consider removing it all from your computer just to be safe. If
   you never print anything, you're probably also good.
>
   How would a vulnerable system be hijacked? "A remote unauthenticated
   attacker can silently replace existing printers’ (or install new ones) IPP
   URLs with a malicious one, resulting in arbitrary command execution (on
   the computer) when a print job is started (from that computer)," says
   Margaritelli.
>
https://www.theregister.com/2024/09/26/cups_linux_rce_disclosed/
>
Not only Macs, but possibly Chromebooks.
>
I disabled cups-browsed. Guess I'm good. Doomsday averted.
 MacOS was mentioned by Lunduke, but he also pointed out that he wasn't sure if it affected them. He did mention that ChromeOS was affected.
My understanding is that CUPS is still supported in MacOS, but they started to depreciate its use over a year ago, replacing it with AirPrint(?), with the apparent intent to get rid of CUPS entirely.
As such, Apple could probably send out a security patch pretty quickly that puts CUPS support onto an enable/disable switch, and move the default to 'disable' (or remove it entirely), and many users would probably never even notice.

As far as I can tell, fixing the problem will also require a user who needs to print to return to the Stone Age in terms of configuration.
My quick search on the subject suggests that the main MacOS customers of CUPS are home users who are using it to keep an old printer alive.

I assume that plugging the printer directly to the computer will not be considered insecure, but any kind of automated network connectivity is going to be a problem.
 Either way, this is serious and Linux users shouldn't casually dismiss this. It should also be noted that this is just one of the many such problems that are going to arise in the future.
 
Agreed.
-hh

Date Sujet#  Auteur
24 May 25 o 

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal