Mastodawn

Will Dormann Sep 26, 2024

So this "CVSS 9.9" "unauthenticated RCE vs all GNU/Linux systems (plus others)" thing...

- Does NOT affect all GNU/Linux systems.
- Is not CVSS 9.9. I put it at a 6.3

It also requires:
1) The victim system has no active firewall to block incoming connections.
2) A user on the victim system must print something to a printer that mysteriously appears on the system that has never been there before.

If these two things happen, then command execution can happen as the "lp" user.

<yawn>

We get it. You found a vulnerability.
Lying about it to try to stir up interest in it is not appreciated by anybody who takes themselves seriously in this industry.

CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177 have been assigned.

https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

Attacking UNIX Systems via CUPS, Part I

Hello friends, this is the first of two, possibly three (if and when I have time to finish the Windows research) writeups. We will start with targeting GNU/Linux systems with an RCE. As someone who’s

evilsocket

Show thread

Will Dormann Sep 27, 2024

This CUPS thing is a great example of how not to do vulnerability coordination/disclosure.

Even the CVE assignment is a failure. An independently fixable vulnerability gets a CVE. It's quite simple. It's a number that you assign to a vulnerability.
https://cve.mitre.org/cve/list_rules_and_guidance/counting_rules.html

GitHub (the CNA) for CVE-2024-47176:
"cups-browsed bugs and other bugs can combine, leading to info leak and remote code execution"
(lists three COMPLETELY UNRELATED CWEs)

You don't just assign a meta CVE for a set of different vulnerabilities because it's easier. 🤦‍♂️

CVE - CVE Counting Rules

The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

Show thread

Will Dormann

Or even the CVSS part of the CVE is highly inaccurate. GitHub gives it a 8.4, but I give it a 6.3 to the entire attack chain. Or if we follow CVE rules and have only one vulnerability per CVE, I'd give it a 5.3.

"scope": "CHANGED" ?

Get real! That sort of thing gets assigned to hypervisor escapes and the like, where resources beyond the security manager of the affected component can be modified. This vul allows assisted command execution as the "lp" user.

Even the Confidentiality, Availability, and Integrity ratings of "HIGH" by GitHub are highly suspect. Can I modify cupsd.conf with this vulnerability? No, it's owned by root.

Was this handled by somebody at the CNA who was unfamiliar with both CVE and CVSS?
Do better.

Show thread

Will Dormann Sep 27, 2024

Even the affected CUPS versions are wrong in the CVE entries. It currently says that ONLY version 2.0.1 is affected, and therefore all other versions of CUPS are NOT affected.

Do we win a prize if every single field in a CVE entry is wrong?

Show thread

Seth Hanford 🐡Sep 27, 2024

@wdormann I wrote the CVSS v3 specification and I agree, that’s not how these metrics should be applied

(Edited bc while a funny riff on the message at the end of US political campaign ads, I shouldn’t speak to the entirety of Will’s post bc reasons)

Show thread

/home/lmp

Sep 28, 2024

@wdormann it escapes the printer though 👹