Using my mystical powers of prediction, I reckon this will be a total nothingburger, simply because of the unserious behavior of the person originating it (Simone Margaritelli).
Also, much less serious prediction, but I’ll guess that the problem is somewhere in CUPS. Especially some old decrepit part of CUPS that no one uses anymore.
This act of hyping vulnerabilities before public disclosure gives me the movie trailer vibe. We really can’t help but putting ads and monetize everything nowadays, can we? The next step will be to pair it with a videogame-like pre-order model.
The hindsight seems to be that the vendor was uncoöperative and needed some “social massaging
(bullying campaign for greater good) to get the fixes in.
I mean, regardless of the reporter, “the CVE turned out to be significantly less severe than its severity rating claimed” would be true, what, like 95% of the time anyway?
Thinking back to when in the late 1990s I was a sysadmin catching the tail end of the sigmoid growth curve of the internet and learning from folks 2 or 5 years older who had been in the thick of the early exponential growth phase…
There was a lot of hard-earned wisdom from the early 1990s in the wake of the Morris worm, and the first steps by unix services beyond the campus into a much bigger and badder internet. Audit your daemons and sockets! Turn off everything that isn’t absolutely needed!
Firewalls in those environments were not a thing: every system was running up against the absolute limits of the hardware all the time. Wasting performance on packet filters was a no-no: choose a network stack that had the bugs shaken out, turn off the optional features, and plug that ethernet cable directly into the backbone. Rawdogging the internet, you might say.
A bit later in my career there was some disdain for firewall-oriented security amongst the grizzled 30ish year old veterans of the 1990s. Hard and crunchy on the outside, soft and chewy on the inside, we would say disdainfully to each other. (With sad acknowledgment that the poor benighted Windows admins had little choice but to work this way.) We were hard and crunchy all the way to our workstations: public IP addresses, no filters, enjoying the brisk pitter-patter of syslogd writing a login failure message to our spinning rust every time some script kiddie tried to guess our root password. SQL Slammer had no effect on us.
The design of CUPS reminds me of those antediluvian unix systems that still required active sysadmin effort to turn that shit off, or the poor offic-LAN PC systems that were toast the instant they were plugged into the network. Soft and chewy. Yum yum, fresh loam for worms to spread.
I’m sorry but I feel like this isn’t a particularly good article. This ad-riddled “cybersecurity news” website sure sees benefits in knitting a few paragraphs of uncertainty around these bugs, but readers get nothing else than “there will be patches for something, sometime soon”. Simone’s X account is now protected so I can’t share direct links to his message through Nitter, but he also admitted over-hyping the issues.
Yeah, I agree. The only reason I posted it was because the security division of the Norwegian telecom company Telenor warned against it, and every other source were in Norwegian.
Dear internets, what am I missing about this issue? Almost every post I’ve read about it in the last day or so goes along the lines of eh, it’s not a huge issue, I mean, it only affects desktop installs, mostly, and you’ve got try to print something on a fake printer in order to make it happen.
I get this isn’t Heartbleed but I also don’t see how this is not a huge issue. The way I printed stuff in any corporate network I’ve been banished to for my sins was to do the ritual CUPS setup and then try to print on every printer entry (including up to 3 duplicates of each printer for whatever reason – different drivers, different endpoints etc.) until one of the office printers started spitting paper.
I have fortunately been spared the pains of corporate offices for nearly six years now but I bet that if I were in one right now, especially in a printing-heavy period (hiring/internship seasons, tax reports, yearly evaluation etc.) half the office would’ve tried to print on my fake printer within a week or so.
Oh and they would have not batted an eye when nothing happened because that’s just regular CUPS behaviour, everyone knows that if nothing happens you probably just got the wrong printer again, there are like ten entries there anyway. You just try the next one until you hear the printer go whirrr (and reboot to your Windows partition or VNC/Teamview into a Windows machine if none of them work, that also happens).
Other than the obvious mitigating factor (CUPS is so awful that very few *nix users actually print anything from their *nix machines, especially to the seventh circle of CUPS hell a network printer) what am I missing that other people are getting so they’re not freaking out?
The “pre-announcement” made it sound like an unauthenticated remote zero-click vulnerability. For what’s been disclosed so far, at least, it’s less severe than that.
Given the attacker control of the printer name, it’d seem easy-ish to get someone to send a print job. Either by naming it the same as the regular office printer they use, or by calling it “Print to PDF”. Or by calling them, claiming to be from the help desk, saying that you’re trying to troubleshoot a printer on their floor for a manager who’s unavailable right now and asking if they could send a test page to this printer.
The fact that printing from a *nix desktop is so uncommon probably plays a role, but I think the main thing is that it’s just not quite as severe as originally advertised.
Hey, a comment that is not ‘I have a firewall’ levels of arrogance – the modern equivalent of SCADA operators saying they’re air-gapped.
What was the Nemesis (1992) Quote? “Alright Alex, now this is gonna.. - Sting a little? I know. -No actually, it’s gonna hurt like a motherfucker.”
There is a lot here if you read between the lines and do basic background checking. Yes, it was ‘a secret to nobody’ in the Intelligence Communities and upwards; those that have toyed with these devices forever and have internal procedures treating printers as Pu-239 and thus only occasionally mess up. Too bad that’s not the case for hospitals, tax offices, unfortunate 500 secretaries, regular law enforcement, hotels and conferences, well-meaning charities etc.
The less imaginative filth of the earth that is not above scamming, extortion and so on (read Greg Conti’s On Cyber: Towards an Operational Art for Cyber Conflict (2017) for the role these actors play) now have their collective sights set on this; a path that is infinitely more reliably targeted and exploited than coercing some budding CTF player into exploiting a short lived browser user-after-free, hoping to align the stars and get zero-click past mitigation in a small percentage of attempts. Heck stage two here is even deferred, which is fun to think about.
Black Hats in general, both ‘researchers’ and ‘free-pentest’ kinds are opportunistic pack animals that pounce when they smell blood. This reeks of it.
That’s another thing I don’t get. I mean, okay, I get the “hyping” problem in this case (I don’t follow evilsocket’s blog but I hear people have some issues with his communication style and general attitude), someone used bigger words than they should have, the security community expected an easy zero-click vuln and got a couple-of-clicks vuln instead. I understand the disappointment, in nerd terms.
But in general, I think not qualifying the “local” in “local interaction required” is an awful trap.
Around lunch, my local Starbucks is full of sharp-dressed folks poking at slow, popup and notification-dominated interfaces running on Surface tablets. Surprisingly many of them are using the new Outlook thing, which injects ads that looks like emails in their inboxes. Getting these people to click on something they didn’t mean to click on is extremely easy, and they’re not even scared when it happens, they do it all the time. And it’s not because they’re stupid, it’s because the “high-value” part of modern software industry is entirely built around competing for people’s eyeballs and encouraging them to click on your things and ignore other things.
There’s a world of difference between clicking “Reply” on an email from Mr. Nelson Mandela’s third wife asking for help to access her 30 million inheritance and clicking “Print” in an app’s printing dialog. The latter doesn’t even register on technical user’s spoofing radar, especially with virtually all network printers in this world now bearing names like HP_Laser_Jet_MFP_M277dw, like, who’s going to notice that it’s HP_LaserJet_MFP_M277dw this week?
Okay, obviously a vulnerability that requires people to click on things to be triggered is not on the same level as one that doesn’t. But one that requires people to click on things in a legit dialog, as in, in a system dialog, or an application dialog/menu/whatever might as well be a zero-click vulnerability, you’re just trying to trigger it over a network with really bad packet loss.
Same with the perspective on RCE - in the light of techniques as old as CSRF, with URLs acting as RPC calls, queuing an attacker controlled URL activation is a very potent building block. I have little doubt that a. there is a way to redirect an existing printer and not just create new entries, mDNS is involved. b. there are pivots from the discovery resolver to the ‘only listen on 127.0.0.1’ parts, c. there being programmable triggers e.g. ‘print test page’ though it might be more contrived (‘return to print-test-page’).
There were clues I didn’t share on the last post. For example, evilsocket said on Twitter that it’s something old that shouldn’t be enabled by default, and Apple was involved as a vendor in addition to Canonical and RedHat. That sorta, uh, narrows it down, and it was very silly of evilsocket to share so many details before the disclosure date. evilsocket also shared that you could protect yourself with a narrow firewall rule, which meant it couldn’t be something like an issue in the Linux WiFi stack, it had to be some network daemon that’s enabled by default.
On a friend’s IRC someone figured it out on 24th, without even knowing it’s related to apple, then we found the sus commits two days ago.
00:12 <X> Y: I'm betting on avahi/cups
00:13 <Y> X hmmmmmmmmmm
00:13 <Y> mby
00:14 <X> it impacts bsd/darwin
00:14 <X> so maybe some bonjour code inherited by avahi
00:15 <Y> 🧐
00:15 <Y> yeah not much code is shared between all unixlikes
I mean - I use my laptop on untrusted networks pretty often. This is bad.
As of right now, you also need to actually try to print something with the the fake printer is tells your system exists. In the future, someone might find something worse among all the shitty code in CUPS, but right now you are exceedingly unlikely to be affected.
If you can enumerate the existing printers & replace one if them, or just make one with a very close name that sorts earlier, then this is more problematic than it seems at first sight.
It’s a bit unfortunate that cups-browsed is still pulled on default desktop installations. It is not needed for most situations. GTK and Qt are able to use remote printers without it.
To guide usage and head off distracting meta conversations (“Why was this flagged!?”, etc), flagging requires selecting from a preset list of reasons. […] “Spam” for links that promote a commercial service.
What’s the correct responsible disclosure for this? I thought there was a PGP mailing list with representatives from the major distros for this kind of thing (this one?).
Even if upstream responded well to the report, you have to coordinate a fix with all the distros right?
By the way, CERT’s VINCE either has a backdoor, or an inside leak, or has zero vetting on who they add to a disclosure, because there’s been a leak of the exact markdown report that I only shared there, including the exploit.
What a fucking circus.
Yeah.
The vuln poster was supposed to email that exact mailing list over the weekend to get distros to prepare patches. But the vuln report leaked and rest is history.
Using my mystical powers of prediction, I reckon this will be a total nothingburger, simply because of the unserious behavior of the person originating it (Simone Margaritelli).
Also, much less serious prediction, but I’ll guess that the problem is somewhere in CUPS. Especially some old decrepit part of CUPS that no one uses anymore.
you were spot on, btw. it was CUPS: https://lobste.rs/s/nqjmcy/attacking_unix_systems_via_cups_part_i
This act of hyping vulnerabilities before public disclosure gives me the movie trailer vibe. We really can’t help but putting ads and monetize everything nowadays, can we? The next step will be to pair it with a videogame-like pre-order model.
The hindsight seems to be that the vendor was uncoöperative and needed some “social massaging (bullying campaign for greater good) to get the fixes in.
I mean, regardless of the reporter, “the CVE turned out to be significantly less severe than its severity rating claimed” would be true, what, like 95% of the time anyway?
Thinking back to when in the late 1990s I was a sysadmin catching the tail end of the sigmoid growth curve of the internet and learning from folks 2 or 5 years older who had been in the thick of the early exponential growth phase…
There was a lot of hard-earned wisdom from the early 1990s in the wake of the Morris worm, and the first steps by unix services beyond the campus into a much bigger and badder internet. Audit your daemons and sockets! Turn off everything that isn’t absolutely needed!
Firewalls in those environments were not a thing: every system was running up against the absolute limits of the hardware all the time. Wasting performance on packet filters was a no-no: choose a network stack that had the bugs shaken out, turn off the optional features, and plug that ethernet cable directly into the backbone. Rawdogging the internet, you might say.
A bit later in my career there was some disdain for firewall-oriented security amongst the grizzled 30ish year old veterans of the 1990s. Hard and crunchy on the outside, soft and chewy on the inside, we would say disdainfully to each other. (With sad acknowledgment that the poor benighted Windows admins had little choice but to work this way.) We were hard and crunchy all the way to our workstations: public IP addresses, no filters, enjoying the brisk pitter-patter of syslogd writing a login failure message to our spinning rust every time some script kiddie tried to guess our root password. SQL Slammer had no effect on us.
The design of CUPS reminds me of those antediluvian unix systems that still required active sysadmin effort to turn that shit off, or the poor offic-LAN PC systems that were toast the instant they were plugged into the network. Soft and chewy. Yum yum, fresh loam for worms to spread.
I’m sorry but I feel like this isn’t a particularly good article. This ad-riddled “cybersecurity news” website sure sees benefits in knitting a few paragraphs of uncertainty around these bugs, but readers get nothing else than “there will be patches for something, sometime soon”. Simone’s X account is now protected so I can’t share direct links to his message through Nitter, but he also admitted over-hyping the issues.
The original thread is available at threadreader: https://threadreaderapp.com/thread/1838169889330135132.html But it also don’t contain much information. I know it’s frustrating but this hyping of issues isn’t helping anyone.
Yeah, I agree. The only reason I posted it was because the security division of the Norwegian telecom company Telenor warned against it, and every other source were in Norwegian.
This is why I’m not eating dinner with my family right now.
Dear internets, what am I missing about this issue? Almost every post I’ve read about it in the last day or so goes along the lines of eh, it’s not a huge issue, I mean, it only affects desktop installs, mostly, and you’ve got try to print something on a fake printer in order to make it happen.
I get this isn’t Heartbleed but I also don’t see how this is not a huge issue. The way I printed stuff in any corporate network I’ve been banished to for my sins was to do the ritual CUPS setup and then try to print on every printer entry (including up to 3 duplicates of each printer for whatever reason – different drivers, different endpoints etc.) until one of the office printers started spitting paper.
I have fortunately been spared the pains of corporate offices for nearly six years now but I bet that if I were in one right now, especially in a printing-heavy period (hiring/internship seasons, tax reports, yearly evaluation etc.) half the office would’ve tried to print on my fake printer within a week or so.
Oh and they would have not batted an eye when nothing happened because that’s just regular CUPS behaviour, everyone knows that if nothing happens you probably just got the wrong printer again, there are like ten entries there anyway. You just try the next one until you hear the printer go whirrr (and reboot to your Windows partition or VNC/Teamview into a Windows machine if none of them work, that also happens).
Other than the obvious mitigating factor (CUPS is so awful that very few *nix users actually print anything from their *nix machines, especially to
the seventh circle of CUPS hella network printer) what am I missing that other people are getting so they’re not freaking out?The “pre-announcement” made it sound like an unauthenticated remote zero-click vulnerability. For what’s been disclosed so far, at least, it’s less severe than that.
Given the attacker control of the printer name, it’d seem easy-ish to get someone to send a print job. Either by naming it the same as the regular office printer they use, or by calling it “Print to PDF”. Or by calling them, claiming to be from the help desk, saying that you’re trying to troubleshoot a printer on their floor for a manager who’s unavailable right now and asking if they could send a test page to this printer.
The fact that printing from a *nix desktop is so uncommon probably plays a role, but I think the main thing is that it’s just not quite as severe as originally advertised.
Ah, okay, that makes sense. Thank you.
That would’ve been about the only zero-click thing about CUPS ever, I swear!
Hey, a comment that is not ‘I have a firewall’ levels of arrogance – the modern equivalent of SCADA operators saying they’re air-gapped.
What was the Nemesis (1992) Quote? “Alright Alex, now this is gonna.. - Sting a little? I know. -No actually, it’s gonna hurt like a motherfucker.”
There is a lot here if you read between the lines and do basic background checking. Yes, it was ‘a secret to nobody’ in the Intelligence Communities and upwards; those that have toyed with these devices forever and have internal procedures treating printers as Pu-239 and thus only occasionally mess up. Too bad that’s not the case for hospitals, tax offices, unfortunate 500 secretaries, regular law enforcement, hotels and conferences, well-meaning charities etc.
The less imaginative filth of the earth that is not above scamming, extortion and so on (read Greg Conti’s On Cyber: Towards an Operational Art for Cyber Conflict (2017) for the role these actors play) now have their collective sights set on this; a path that is infinitely more reliably targeted and exploited than coercing some budding CTF player into exploiting a short lived browser user-after-free, hoping to align the stars and get zero-click past mitigation in a small percentage of attempts. Heck stage two here is even deferred, which is fun to think about.
Black Hats in general, both ‘researchers’ and ‘free-pentest’ kinds are opportunistic pack animals that pounce when they smell blood. This reeks of it.
That’s another thing I don’t get. I mean, okay, I get the “hyping” problem in this case (I don’t follow evilsocket’s blog but I hear people have some issues with his communication style and general attitude), someone used bigger words than they should have, the security community expected an easy zero-click vuln and got a couple-of-clicks vuln instead. I understand the disappointment, in nerd terms.
But in general, I think not qualifying the “local” in “local interaction required” is an awful trap.
Around lunch, my local Starbucks is full of sharp-dressed folks poking at slow, popup and notification-dominated interfaces running on Surface tablets. Surprisingly many of them are using the new Outlook thing, which injects ads that looks like emails in their inboxes. Getting these people to click on something they didn’t mean to click on is extremely easy, and they’re not even scared when it happens, they do it all the time. And it’s not because they’re stupid, it’s because the “high-value” part of modern software industry is entirely built around competing for people’s eyeballs and encouraging them to click on your things and ignore other things.
There’s a world of difference between clicking “Reply” on an email from Mr. Nelson Mandela’s third wife asking for help to access her 30 million inheritance and clicking “Print” in an app’s printing dialog. The latter doesn’t even register on technical user’s spoofing radar, especially with virtually all network printers in this world now bearing names like HP_Laser_Jet_MFP_M277dw, like, who’s going to notice that it’s HP_LaserJet_MFP_M277dw this week?
Okay, obviously a vulnerability that requires people to click on things to be triggered is not on the same level as one that doesn’t. But one that requires people to click on things in a legit dialog, as in, in a system dialog, or an application dialog/menu/whatever might as well be a zero-click vulnerability, you’re just trying to trigger it over a network with really bad packet loss.
Same with the perspective on RCE - in the light of techniques as old as CSRF, with URLs acting as RPC calls, queuing an attacker controlled URL activation is a very potent building block. I have little doubt that a. there is a way to redirect an existing printer and not just create new entries, mDNS is involved. b. there are pivots from the discovery resolver to the ‘only listen on 127.0.0.1’ parts, c. there being programmable triggers e.g. ‘print test page’ though it might be more contrived (‘return to print-test-page’).
[Comment removed by author]
Good thing my computer isn’t attached directly to the Internet.
Btw congrats on calling this as a vuln in ancient cups
There were clues I didn’t share on the last post. For example, evilsocket said on Twitter that it’s something old that shouldn’t be enabled by default, and Apple was involved as a vendor in addition to Canonical and RedHat. That sorta, uh, narrows it down, and it was very silly of evilsocket to share so many details before the disclosure date. evilsocket also shared that you could protect yourself with a narrow firewall rule, which meant it couldn’t be something like an issue in the Linux WiFi stack, it had to be some network daemon that’s enabled by default.
On a friend’s IRC someone figured it out on 24th, without even knowing it’s related to apple, then we found the sus commits two days ago.
I mean - I use my laptop on untrusted networks pretty often. This is bad.
Not “all GNU/Linux systems” bad as advertised previously (who would have thought), but still, pretty fucking bad.
As of right now, you also need to actually try to print something with the the fake printer is tells your system exists. In the future, someone might find something worse among all the shitty code in CUPS, but right now you are exceedingly unlikely to be affected.
If you can enumerate the existing printers & replace one if them, or just make one with a very close name that sorts earlier, then this is more problematic than it seems at first sight.
glad I haven’t owned a printer or printed anything since 2010!
What about IPv6?
Your router still has a firewall, doesn’t it? If your router allows all incoming traffic via IPv6, that would be very silly.
Good ole CUPS, delivering vulnerabilities since at least the late 90s.
This seems to be the followup to https://lobste.rs/s/nkucj4/severe_unauthenticated_rce_flaw_cvss_9_9.
Update: https://lobste.rs/s/nqjmcy/attacking_unix_systems_via_cups_part_i
I’m curious about part II…
Another SSH vulnerability? Someone figure out how to RCE via eBPF?
It’s a bit unfortunate that cups-browsed is still pulled on default desktop installations. It is not needed for most situations. GTK and Qt are able to use remote printers without it.
this is blog spam
I don’t agree, it contains factual, actionable information on how to check your system for the affected systemd services and listening ports.
My Ubuntu server VPS was unaffected, my home desktop was affected but I never print so I feel unaffected.
From About > Ranking:
So, if you flagged the post as spam, please undo.
From that ‘about’ link:
So this is an “already posted” submission? Should this be merged with https://lobste.rs/s/nqjmcy/attacking_unix_systems_via_cups_part_i?
It should maybe be merged, but it hasn’t really already been posted. It’s new analysis and new information.
What’s the correct responsible disclosure for this? I thought there was a PGP mailing list with representatives from the major distros for this kind of thing (this one?).
Even if upstream responded well to the report, you have to coordinate a fix with all the distros right?
certainly not this one
Yeah. The vuln poster was supposed to email that exact mailing list over the weekend to get distros to prepare patches. But the vuln report leaked and rest is history.
Worse, the original submission was posted on breachforum. The implications of that should make your skin crawl.
[Comment removed by author]