So this "CVSS 9.9" "unauthenticated RCE vs all GNU/Linux systems (plus others)" thing...

- Does NOT affect all GNU/Linux systems.
- Is not CVSS 9.9. I put it at a 6.3

It also requires:
1) The victim system has no active firewall to block incoming connections.
2) A user on the victim system must print something to a printer that mysteriously appears on the system that has never been there before.

If these two things happen, then command execution can happen as the "lp" user.

<yawn>

We get it. You found a vulnerability.
Lying about it to try to stir up interest in it is not appreciated by anybody who takes themselves seriously in this industry.

CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177 have been assigned.

https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

I love all of you and I want nothing but the best for each of you, particularly those on infosec.exchange. I understand that Mastodon isn't Twitter, that DMs aren’t end-to-end encrypted, that we are spread across different instances and it can be hard to find your friends, and that an instance can go away at any time, and that translating posts doesn't work correctly, and there is no native giphy support, and that some instances are overwhelmed and super slow, and that you don't think the federated model can scale to a billion users, or that it doesn't support full text search of every post and account, or that we can't comply with the GDPR, or that we don't support quote tweet style functionality, or that we shouldn't collect IP addresses, and many other things.

The fediverse is a work in progress. I've been here for going on 6 years. In that time, it's come a long, long way. That said, Mastodon is not going to appeal to everyone. The decisions I make are not going to appeal to everyone. No one is forcing you to be here. No one is forcing you to disclose your personal secrets into a network of federated servers running by volunteers and hobbyists. NB: this is not Twitter. It has some similar functionality, but it is not Twitter. Parts of it are better, IMO, and parts are not. The security community is generally among the most skilled and competent IT people the world has to offer. Mastodon is open source. Do you see where I'm going?

I set this instance up a long time ago for reasons I don't even remember. I have poured my soul into this thing because I believe in the importance of this community. I have effectively peaked in my career as a CISO and I and my family live well. I am not running this instance for fame, money, a better job, or anything other than wanting to foster a community of people that can learn from each other and make the world a better place. That's it.

As I've said in several recent interviews, I felt particularly obligated to ensure the security community had a good landing spot in the fediverse as everyone was running for the doors in Twitter. We've grown from 180 active users to about 30000 in the span of 3 weeks. I do not expect everyone to stay. Some will set up their own instances. Some will move to one of the other excellent security focused instances. Some will give up and move to on to some other social media. And that is OK. While I am super excited to see the buzz here, I don't have subscriber targets, engagement targets, retention targets, or anything else. The only metric I hold myself to is whether I think this is serving a useful purpose to the community.

I appreciate all of you, regardless of where you land. Infosec.exchange has been here for a long time and will continue to be here for you.