Pwned by Your Printer: Simone Margaritelli Warns of a Critical Safety Vulnerability in CUPS
Safety researcher Simone Margaritelli has found severe safety vulnerabilities within the Frequent UNIX Printing System (CUPS) — permitting for remote-code execution over a community on Linux and BSD distributions with CUPS put in and enabled.
“A distant unauthenticated attacker can silently change current printers’ (or set up new ones) IPP [Internet Printing Protocol] URLs with a malicious one, leading to arbitrary command execution (on the pc) when a print job is began (from that laptop),” Margaritelli explains of the core of the issue. “A distant attacker [just] sends a UDP packet to port 631. No authentication in any respect.”
If you happen to print from a system utilizing CUPS, it is time to take motion: there is a severe vulnerability to patch. (📷: Engin Akyurt)
CUPS is, because the title suggests, used to permit native and community printing on UNIX-like programs. Initially developed by Straightforward Software program Merchandise and adopted by Apple in 2002 for Mac OS X, it is the commonest printing system for non-Microsoft Home windows working programs and used on Linux, BSD, Solaris, and different platforms — making a safety flaw that permits for unauthenticated distant code execution extreme certainly, with Margaritelli’s discovery rated at 9 out of 10 for severity.
“This factor is packaged for something, in some circumstances it is enabled by default, in others it isn’t, go determine,” Margaritelli writes. “Full disclosure, I’ve been scanning your entire public web IPv4 ranges a number of instances a day for weeks, sending the UDP packet and logging no matter related again. And I’ve obtained again connections from lots of of hundreds of units, with peaks of 200-300k concurrent units.”
Margaritelli considers the flaw extreme sufficient to “take away any CUPS service, binary and library from any of my programs and by no means once more use a UNIX system to print” — however others are downplaying the vulnerability, whereas patches to shut the opening have already been launched. “Generally,” writes “senior technophilosopher” Xe Iaso on his weblog, “your servers shouldn’t be susceptible to this. Your desktops could also be.” Johannes Ullrich on the SANS Web Storm Heart, in the meantime, recommends filtering UDP site visitors on port 631 — which can block assaults from exterior the native community even on an unpatched system.
Extra particulars on the vulnerability and its discovery — together with a accountable disclosure course of that Margaritelli describes as “damaged” and which he has mentioned he won’t be following for future vulnerabilities — is out there on Margaritelli’s weblog; these working CUPS on their programs are suggested to take away it if they don’t require printing assist or to test for a patch, whereas additionally guaranteeing UDP port 631 just isn’t accessible over the web.
