OpenPrinting News Flash - cups-browsed Remote Code Execution vulnerability

pnutzh4x0r@lemmy.ndlug.org to Linux@lemmy.ml – 57 points –
openprinting.github.io

Exploit of a combination of several bugs - Overhyped but not that severe - Fixes already available

...

Canonical’s security team has acted immediately to quickly apply the patches which Michael Sweet (author and maintainer of CUPS) had already prepared for CUPS, cups-browsed, libcups-filters, libppd, and cups-filters (in the time from the first report until then I was some days off and I was also on the Open Source Summit Europe, thanks, Michael Sweet, for stepping in, also thanks to Zdenek Dohnal from Red Hat) to the appropriate in all supported Ubuntu versions, so that at the time of disclosure most fixes were already in place. They also reported in an Ubuntu blog. They tell users what to do, from turning off cups-browsed or at least its legacy CUPS browsing support to updating their systems as the fixes were already available. Thanks a lot to Seth Arnold, Marc Deslauriers, Diogo Sousa, Mark Esler, Luci Stanescu, and more.

...

The X post really overhyped the vulnerability. Attacks from the internet are not very probable due to the fact that servers on the internet do not have cups-browsed and CUPS installed and CUPS/cups-browsed setups are there usually only in NAT-protected local networks with desktop machines and print servers. And the remote code execution is also rather restricted, as CUPS filters are not running as root, but as the system user “lp” which cannot even read user’s home directories. In addition, the remote code execution only happens when a user actually prints a job on the fake printer. Actually assigned scores ended up between 8.4 and 9.1.

14

You are viewing a single comment

ipv6 doesn't give the NAT. A malicious website can mount the attack.

How?

Say I host a malicious server with ipv6 only. You visit the site without NAT. I get your ip and ip:631 is open (unless firewall and listen is restricted to prefix). Usual attack afterwards.

Edit: You need to have ipv6, for example many mobile networks.

I have full IPv6, none of my ports that I haven't explicitly whitelisted in the firewall can be accessed from the Internet. I can open a host completely, but it's not default. This is on the most common brand of consumer routers here.

Just because it's not NATted doesn't mean there's no firewall in place.

Yeah ofcourse firewall is the good idea here. I personally have firewall on on every device so that I can manage what can connect and from where.

The point is though often people just disable firewalls (some distros do not install/enable by default too) to workarround certain issues quickly like kdeconnect not connecting, bridge not working and such. That's how I think the whole 'ipv4 NAT is the best (consumer) firewall' concept came popular.