[GTALUG] serious RCE vulnerability via CUPS

[D. Hugh Redelmeier]

There is a serious vulnerability in CUPS.  (As usual, it is over-hyped.)

A single unsolicited UDP packet can get root access on your machine if you 
have cups-browserd running.  But there are other vulnerabilitied in CUPS, 
as I understand it.

There was a lot of arguing about how serious it is: serious or very 
serious?

It was supposed to be embargoed but it leaked.

<https://isc.sans.edu/diary/31302>
<https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/>

CUPS (the printing subsystem) is too promiscuous.  And it runs as root.

- no problem from the internet if you don't run CUPS (few servers and 
  thus most things exposed to the internet).  In particular, if a system 
  is behind NAT, it is not exposed to attacks from the internet.

- if your firewall blocks UDP port 631 (IPP), no problem behind it.

- you should consider attacks from within your LAN.  I wonder if a web 
  page could use javascript to create a local attack.

But if you want to print, update CUPS (fixes are out, I think).  And some 
part are not fixed (cups-browserd in particular).

I think that the simple act of printer discovery is no longer simple.

(We just got a colour laser printer.  I fed it the WiFi password.  Now all 
our Linux computers can easily print to it.  To use it with any Linux 
computer in the house, the only configuration was asking the print 
dialogue to use a different printer.  I think cups-browserd enabled that.)

(To be honest, I've never really thought network printers were trustable, 
just convenient.  WiFi doubly so.)

I don't know why anyone thought a big codebase like CUPS ought to run as 
root.  Even after these fixes, the question remains.

Michael Sweet, the/an original author of CUPS, left Apple, and has been 
working on a replacement.  There are packages for my distro (Fedora) but I 
don't really know how it slides into the printing stack.

<https://www.msweet.org/pappl/>