Oddbean

Warning: !!!! Huge Critical Linux Vulnerability !!!!! Remote code execution. Key Points: A critical, unauthenticated Remote Code Execution (RCE) vulnerability in GNU/Linux systems, rated 9.9, is about to be disclosed. [2] The flaw has been known for over a decade but was disclosed to developers only three weeks ago by bug hunter Simone Margaritelli. Margaritelli's upcoming write-up will include a proof-of-concept exploit and technical details. While the bug has no CVE assigned yet, it is expected to need at least three and ideally six CVEs. Canonical and RedHat have confirmed the severity of the issue, but there's no fix yet. Entry Points from Simone Margaritelli: WAN / public internet: a remote attacker sends an UDP packet to port 631. No authentication whatsoever. LAN: a local attacker can spoof zeroconf / mDNS / DNS-SD advertisements [1] Sources: [1] https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/ [2] https://thenimblenerd.com/article/9-9-rated-linux-flaw-the-doomsday-bug-that-makes-heartbleed-look-like-a-paper-cut/ https://www.phoronix.com/news/Linux-CVSS-9.9-Rating https://www.redhat.com/en/blog/red-hat-response-openprinting-cups-vulnerabilities

Exploitation requires user interaction - attempting to print to a fake printer. Devs assume only an idiot would do that. Maybe, but the world is filled with highly credentialled idiots. Every university is vulnerable to this. Every hospital and big law firm, too.

I’m not particularly tech savvy and am unfamiliar with Linux but, if I understand the article correctly, wouldn’t you have to (1) expose print services directly to the Internet and (2) wait for a server operator to intentionally try and send a job to the newly created bogus printer (which he doesn’t even know exists) in order to execute the malicious payload? Seems like pretty low probability of being able to pull that off without an insider on the victim’s network to cooperate, no? Not impossible, of course. But seems like the attacker would have to be pretty lucky.