Mastodawn

Regarding the "unspecified Linux vulnerability" that the author has been "hyping the shit out of" (their words) all week -

It's accidentally leaked, due to an unpaid open source maintainer making a boo boo.

It's in CUPS, a printing subsystem. It isn't Linux specific.

CUPS isn't faced much to the internet, I've checked and done a Shodan Safari. It also isn't installed by default on Linux server installs for almost all distros.

It's not a big deal, update packages are dropping, don't panic.

Kevin Beaumont

Pouring one out for the unpaid open source maintainers dealing with this stuff for the past few weeks.

I notice the finder tweeting about it (before the announcement window) has turned off the ability to reply to their tweets.

Re the “Linux RCE” story, I’d like to point the press breathlessly covering this to one minor (sarcasm) detail for exploitation: “A potential victim attempts to print from the malicious device”

My thoughts on how this has played out: https://www.linkedin.com/posts/kevin-beaumont-security_open-source-has-many-unpaid-volunteers-who-activity-7245168546840793088-3N7A?utm_source=share&utm_medium=member_ios

Kevin Beaumont on LinkedIn: Open source has many unpaid volunteers who power the world’s technology.…

Open source has many unpaid volunteers who power the world’s technology.. and have to deal with InfoSec people treating them like this during vulnerability…

Redhat’s advisory is worth a read if you want calm actual analysis: https://www.redhat.com/en/blog/red-hat-response-openprinting-cups-vulnerabilities

Red Hat’s response to OpenPrinting CUPS vulnerabilities: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177

An overview and mitigation information for the vulnerabilities affecting OpenPrinting CUPS.

Also; all the press articles I’ve seen on this have taken the word of the vulnerability finder as gospel - they haven’t actually fact checked it.

Eg none of the CVEs are CVSS score 9.9. Or close.

The sole source in articles shouldn’t be a known bully. The story is probably more how this played out so it doesn’t happen again.

In the researchers PoC video they casually don't show that the victim user needs to print to the malicious print queue first, it's not in the video. Minor detail.

The media are going to have to go back and rewrite or delete the articles here.. it’s not labelled Critical, it’s not a 9.9 etc etc.

I think there’s probably lessons to be learned here around how vulns are covered.

Kevin Beaumont Sep 27, 2024

Kevin Beaumont Sep 27, 2024

Patches are out for the major distros, if you have Ubuntu desktop it should have auto updated already.

Hopefully nobody printed to the doomsday printer and got cyber mega(tm) owned in the cyber pandemic(tm) of 2024

knapjack Sep 27, 2024

@GossiTheDog Is it the Doomsday Printer or the Printer of Doom? 🤔

knapjack Sep 27, 2024

@GossiTheDog If you print into the abyss, the abyss also prints into you.

Michael Weiss Sep 27, 2024

@knapjack @GossiTheDog Prints of darkness?

Fritz Adalis Sep 27, 2024

@GossiTheDog
I'm up to GenX of cyber security, so HA!

Alex Sep 27, 2024

@GossiTheDog thinking might be worth checking on a local network if you have an implant or hacked a router and have a reverse proxy working, but just my two cents on this.

Jeff Grigg Sep 27, 2024

@GossiTheDog

When Strange and Mysterious printers Unexpectedly show up on your network, >>> Do NOT Print to them!!! <<< Their "drivers" may be malware!

Fellows Sep 26, 2024

@GossiTheDog if it doesn’t have a crappy graphic you made with Paint, I tend not to worry!

defnull Sep 26, 2024

@GossiTheDog good opportunity to weed out news sources that don't do their homework

Marcus Adams Sep 26, 2024

@GossiTheDog They live for the spectacle. Security theater and over-hyped headlines sell subscriptions.

@GossiTheDog they should, but they absolutely won't. :(

@GossiTheDog people have to be really careful with sensationalist coverage of things that do not have technical details or are wildly impractical. It’s important to be aware of them, but alert fatigue is a very real thing.

aburka 🫣Sep 27, 2024

@GossiTheDog at this point "CVSS 9.9" seems basically as meaningless as "NYT bestseller"

xsk Sep 27, 2024

@GossiTheDog It used to be that you had to study journalism in order to become one, it also used to be that newspapers cared about the facts and accuracy of their articles.

That metric is long gone, now you can be a „journalist“ by copy pasting hacker news , and the metric that defines a good journalist is who does it in a way that increases click counts and time staying on page…

I don’t expect anything from any news page anymore, my brain has hardwired an disclaimer to all of them that goes „nothing that we say comes with any fact check or implied liability, because we just echo social media“

Tom DB 🦣Sep 27, 2024

@GossiTheDog There lessons to learn about how media pretty much cover everything. Mainly caused by not being experts in the field they weird about.

VessOnSecurity Sep 27, 2024

@GossiTheDog Is this from The Sun or from the National Enquirer?

Leonardo Lanzi Sep 27, 2024

@GossiTheDog

looking at the "kill chain", and CUPS crashing 9 times/10 if you try the exploit, the right value could be 0.99, more or less.

letterbeen Sep 28, 2024

@GossiTheDog
They might make a short notice about it in a couple of weeks, when the articles have made them enough money and no one cares anymore.

Michael Weiss Sep 27, 2024

@GossiTheDog if you add them all up you get CVSS of 29.5. The most biggestest in history!

kampfschwaetzer Sep 26, 2024

@GossiTheDog All of that is true. But there is one big point, the author has made, we should not forget about: It becomes more and more problematic that free software is used in companies which do not add anything to open source but expect safe and up to date sorftware from the volunteers at any time.
That will not work.

Gilgwath Sep 26, 2024

@GossiTheDog In my experience all printers are malicious, no attacker required 🫠😬

sortius Sep 26, 2024

@gilgwath @GossiTheDog Do you have a moment to speak about our lord and saviour, Brother Printers?

Mihai Sep 26, 2024

@sortius @gilgwath @GossiTheDog They're not malicious purely by contrast, because almost everyone else is Satan incarnate. And they do tend to work fine and almost out of the box. But rest assured that there's a buttload of scary stuff in Brother printer support as well. Hackish Perl and shell scripts with variable substitution and quote escaping galore -- install their driver and take a peek around /opt/brother/Printers/<model>/cupswrapper/ for some thrills.

Dragon Sep 26, 2024

@gilgwath @GossiTheDog ironically I’ve found the 3d printer to be less of a pain to get to behave than the normal printer…

lena Sep 27, 2024

@Dragon @gilgwath @GossiTheDog it's the extra dimension

uwuhaeckse Sep 27, 2024

@gilgwath @GossiTheDog I think after printers it’s touch screens that don’t react to your input that are also malicious. When will the new CVSS standard include scoring for effects on mental health?

Sep 26, 2024

@GossiTheDog I last printed successfully from Linux in 1998. YMMV.

lj·rk Sep 26, 2024

@hacks4pancakes @GossiTheDog Tbf, a lot of the stuff that dude was ranting about in his blog is based on the design of IPP/AirPrint... and the sole reason I haven't given up on Linux printing. By now I just connect any modern printer (ideally Brother, they don't rip you of in terms of cartridges) to system and magically print, no "print drivers" required.

LukefromDC Sep 27, 2024

@ljrk @hacks4pancakes @GossiTheDog You can now get printers that use ink in refillable tanks. They cost about $200 since the makers understand they will never sell you ink for more than the price of human blood, but are worth it. I will never buy another cartridge printer, ever.

If you can get one that can print from a camera card too, so much the better: no print support needed at all on your computers.

(UPDATE: turns out HP is also under boycott for doing business with Netanyahu's genocidal regime in Israel. Don't buy HP at all)

DO NOT BUY any HP printer that has HP+ enabled by default! This malware locks the printer to HP's own ink (printer DRM) and also blocks printing unless the printer is connected to the Internet and logged into an HP account.

If you get stuck with an HP+ printer, take it back for a refund. If they won't take it back, scrap it: there's no safe way to use it as HP+ once turned on can never be turned off.

I once asked a Wal-Mart to stop selling HP+ printers as they are malicious and few customers will ever known in advance that use requires an HP account and connecting the printer to the Internet.

@LukefromDC @ljrk @GossiTheDog guys I was making a joke. It was a joke. I have an ancient Brother but I promise I don’t print anything from any operating system. Who even does that?

@LukefromDC @ljrk @GossiTheDog printing, in this economy??

nobletrout Sep 27, 2024

@hacks4pancakes @LukefromDC @ljrk @GossiTheDog sometimes I print, mostly to PDF

Steve Sep 27, 2024

@hacks4pancakes @LukefromDC @ljrk @GossiTheDog I bought a laser printer years ago because the inkjet's I bought would get all gummed up from lack of use.

Stephen Wuebker Sep 27, 2024

@hacks4pancakes @LukefromDC @ljrk @GossiTheDog return shipping labels, mostly

Jima

@hacks4pancakes @[email protected] @ljrk @GossiTheDog Does your brother know you talk about him like that? 😤

lj·rk Sep 27, 2024

@hacks4pancakes @GossiTheDog Didn't expect a long rant about printers either ^^'

I just find it ironic that the Linux printing joke isn't really accurate nowadays – but the reason for that is a) Apple and b) a protocol that is now associated with "the" Linux printer CVE :'-D

Side note: I personally mostly use a copy shop once in a while but, say, teachers often print their exercise sheets. And that's quite useful to print from an OS. And indeed, printing through IPP is definitely a breeze and I don't want to go back. It's not much more that a HTTP POST request with a PDF!

lj·rk Sep 27, 2024

@LukefromDC Similar thing with Browser laser printers. You replace a cartridge once in a century and it's not even expensive!

Alan Miller

🇺🇦Sep 27, 2024

@ljrk @hacks4pancakes @GossiTheDog with Brother you can also still get PCL & PS within the printer without needing 'enterprise' models - not in the bottom tier, and you have to dig into the specs to find the "Emulations" entry. ~$200 = PCL, ~$280 = PS+PDF

D4S3 Sep 27, 2024

@hacks4pancakes @GossiTheDog Netcat over port 9100 still works on every printer I've come across.

pootriarch Sep 27, 2024

@hacks4pancakes @catsalad @GossiTheDog please consider the environment before printing this exploit

David Anson Sep 27, 2024

@pootriarch @hacks4pancakes @catsalad @GossiTheDog Wait, am I going to need to buy more toner after running this exploit??

Scott

@pootriarch @hacks4pancakes @catsalad @GossiTheDog please consider this vulnerability before destroying the environment

Ludwig Vielfrass Sep 27, 2024

@hacks4pancakes @GossiTheDog printing from Linux in 1998 is actually a huge tech flex! Color me impressed.

@lerxst it says a lot that I decided to never do it again after that

Frank Küsel Sep 27, 2024

@hacks4pancakes @GossiTheDog 😂

Lord Kusuriya

Sep 26, 2024

@GossiTheDog Oh printers, always innovating on making themselves worse.

crlf Sep 26, 2024

@GossiTheDog that "the user needs to print a document" does indeed make all the difference, stopping the from being completely automated to requiring user interaction.
Yes, you could add an evil printer with the same name as the real one (if you happen to know that name). There may be even some weird system with a cron sending job automatically to a printer. But all in all, printing is a (relatively) uncommon action (even on environments where it is popular), drastically lowering the impact.

However, I do wonder if that open port 631 couldn't be used to send a print job to that just-installed-evil-printer, dropping victim interaction altogether.

Scott

@GossiTheDog linux finally catching up to windows on the printer vulns