So, just to clarify for myself, if I (roughly) understood how this works: Attacker: Hi, I am a printer! Victim: Hi, nice to meet you, what files can you print? Attacker: I support the ThisIsAVirus format. Victim: Oh, interesting. How do I decode that file format? Attacker: It's super easy, barely an inconvenience, here you have the appropriate ExecuteThisVirus decoder. Victim: Thanks, I will implement the ExecuteThisVirus decoder the next time I need to print something.
In truth, printer provides binary driver which is run as system on windows. Though it does try to find an uptodate one on windows update first, of which there are several with known vulnerabilities in them.
Even Windows 10 is good enough after End of Life guess I am holding off on the switch because even Linux isn't safe I knew for some reason I was being pulled back to Windows and suddenly this pops up.
@@TechnoMinded-qp5in On windows vulnerabilities happens everyday. On Linux happens like every few months or years depending on how it gets detected. That's why you see headlines everyday about vulnerabilities on windows than on linux. But there is already a fix for this vulnerability. So i dont think you should be worried but oh well.
@@TechnoMinded-qp5in you know I have this already patched on my linux systems, a similar issue has been known to exist in windows since 2021... it is 2024 now.
@@StephenSpencer1972 Oh, okay - I thought I'd seen in the web UI that it had a copyright apple disclaimer, so assumed it was entirely, or at least mostly, in-house designed for OS X, but that other BSDs and Linux took it on. as well.
@@AlexSwanson-rw7cv It is. That file is still executed as the nobody user (some distros have a cups user). So the exploit is not dangerous by itself. It can be the entry method for any other local attack thou..
You can even put it in the cloud. I heard that Azure data centers are routinely scanned by malicious actors, so if you put it in a VM there, someone might notice your dummy cups server and spend time to investigate (not sure if it was specifically SSH and RDP that were attacked or more things, though). Of course, other cloud providers may be in a similar situation, I just heard about it in the context of Azure.
I find it funny how the internet just assumes that businesses never expose unnecessary services to anybody in their networks or the internet and that your usual employee would never ever consider clicking messages away or use the wrong printer that magically appeared in their settings. Good luck!
I saw a lot of people dissing this because a user had to print and I was looking at face-palming. imagine a user seeing "use this printer!" in the printer list. at minimum one user is going to use it to print. and that's all it takes.
@@deefdragon even better - just copy the name of another boring printer you've found on the same network. Nobody will be surprised at all to see two printers with the same name.
@deefdragon I would 100% click the wrong printer at some point because I don't think I have ever used a printer when there weren't 10 people trying to ask me 100 questions about their technical issues.
I hope this gets a fix soon instead of everyone just disabling browsed, because IPP Everywhere (the stupidly-named protocol that enables this) is honestly the best thing to ever happen to printers for Linux users. It's basically a simple extension of IPP that instead of just allowing the printer to advertise itself but still need a vendor-specific driver unless it's some huge PostScript-enabled office machine, there's now a standard raster format printers are required to support that uses a driver that CUPS has built in. This isn't even a new thing - a large number of network printers have implemented it for well over a decade now, but software support only started appearing recently. Of course, the entire point of the protocol is that the printer doesn't need to instruct CUPS to execute any specific commands, just advertise support for a data format that it already knows how to handle, so it may be enough to just block foomatic-rip execution for PPDs loaded from the network (it sounds like the feature can't be removed altogether, but other use cases would involve a PPD provided by a locally-installed driver package that is more trusted).
Well the PPDs can be pre-generated rather than tweaked on the fly from a similar one using foomatic-rip...or maybe the list of executables can be narrowed to only the GNU string manipulation tools needed. After 15+ years there's more than enough historical data to figure this out.
Gotta say, cups has been a bit of an operational nightmare since its birth back in the 90's. The "solution" I used for a 400+ seat engineering lab I used to run: all printers are directly attached to a physically separate internal (edit: device management) network. Printers are statically defined on one or more print servers that have access to that internal network. No printer discovery in play. It was a curious-but-bad idea in 2002. Its less curious but every bit as bad of an idea today. (apologies in advance for choir-directed preaching) It's cool that you're giving props to the researcher that did this work. Beyond the severity overstatement, I do have to take several deep breaths to quiet the... irritation with the click-baity announcement. It's not only a disingenuous finger pointed at Linux, but it also obscures the (if you know, you know, otherwise..) fact that cups can be run on nearly any device that has an IP stack. Think of all the *BSD, windows and OSX users that thought they were off the hook.
Clarify, that script is executed as whatever the cups daemon user is. (nobody on most places). So all it does by itself, at most, is to execute a random script as the same user as the cups daemon. This is usually the first stage of an ownage, but just to clarify.
If you're ever in the market for a printer, get a brother. Those things are so easy to use and they just work no matter the OS, except Android which requires mopria, but that's just android being weird. I had my printer up and running within 10 minutes and that was it. No custom bloatware or Linux incompatibility. I can't rate my experience with brother highly enough. The only silly thing is that it makes my power flicker when it runs but I just unplug the printer when im not using it. If you dont use color then get a b+w laser printer. If you only print color once every 5 years you can just go to a store and get it printed, the $.15 a page or whatever will likely be cheaper than buying color ink anyways, or you can get a color lazer printer by brother, so you dont have to waste ink because toner doesnt dry out.
I agree. I used to recommend HP because they were reliable and supported FLOSS print systems but with all their scammy anti-repair and ink-refill activities brother is a good choice. I like how their inkjet cartridges have a vaccuum-seal so, unlike certain aforementioned competitors, they don't dry out quickly if printing activity is sparse.
Another big advantage of Brother laser printers (no point in getting inkjet in 2024) is that they happily take 3rd party toner and drums, and their own toner/drums are reasonably priced.
Get OKI colored laser printer, they have (or at least use to have) the installed "test" cartridges without any DRM chips and you can do reset, including the page counter in the service menu. Even if you don't reset anything, they print even if "you are out of toner" (with a warning). Only annoing thing about colored laser printers is the fingerprinting by printing yellow dots...(thanks USA money laws)
While reading the blog before most of the technical stuff went over my head but i did understood that the attacker needed to disguide the system as printer using port 631 and the vitcim needs to use it for it to work, so 9.9 CCVE obv didn't made any sense for a normal user however it does make sense for companies where there are more printers and its easier to disguise… and a company would also be the one to take the most damage of off the attack…
Although it is indeed overhyped and none of my Debian servers are affected, Ubuntu is affected by default and the word "Ubuntu" showed up over 150 times in our on-prem server list. What a day
@@harrytsang1501 Is Ubuntu Server affected by default? Mine don't have any cups on, though maybe I deselected it on install or removed it at some point...
Ubuntu server didn't seem to have it. My non server debian boxes did have it. I'm not worried about servers. I'm worried about weird embedded systems. Like PoS machines.
Given the nature of the vuln, it's more if it is listening on port 631. Since it sounds like you're in a corporate environment I'm going to assume you have a firewall for all of those servers. Meaning all you have to do is check the firewall rules.
I could see state actors being VERY interested in this exploit or maybe even already using it for a long time Something like the recent supply chain attack by Israel comes to mind: Set up a proxy company that sells printers with modified firmware and your victim even invites you in
No one is mentioning that CUPS was bought by Apple about 15 years ago. Thanks apple for that. The guy that was maintaining it departed Apple for his own company. So cups has been stagnant ever since. IMHO, this may be part of Simone's problem. The brain departed. Nobody to maintain it.
Exactly. Nice exploit chain, lots of interesting stuff, then the guy goes "zomg Linux is one giant security hole and no one cares!", knowing full well that cups has nothing to do with Linux other than it runs on it (and on pretty much all other posixy systems). Lost all the cool points immediately. Not to mention, this isn't a commercial vendor, it's a small group of volunteers maintaining a very old, hairy codebase that has to deal with printer manufacturers not supporting anything other than windows.
Another way I can see to exploit this potentially is to become their printer, tee that to the real one and capture the data. One client I have thinks it's super convenient to copy-paste their credit card numbers, and those of their customers, into lots of forms and spreadsheets. They print these. Identifying as a printer might not be so harmless. edit: This is not behind their main firewall for automation systems, it's front office and basically unlocked because derps work in there.
The problem I have with what Simone posted is less about the CVSS score and more about saying it affects *all* GNU/Linux systems. This implied to many people that it was a kernel-level RCE. Once it came out that it was CUPS I went from having to panic about all of my Linux systems down to disabling CUPS on my laptop. That bottom paragraph says to me that he posted that X/Twitter out of frustration in dealing with the devs who were dragging their feet to try and light a fire, but now it's getting him unfairly roasted.
A very helpful walkthrough of what's involved here. I've been a printer-support person at my college for many years, and due to that I'm quite aware that CUPS is a mess wrt security. I just did a quick check, and of some 220 linux hosts that I have some responsibility for, about six *might* be effected by this. And I think only one of those needs to have CUPS running at all. Good work by the security-researcher guy. It's a shame that this got pre-announced as 9.9, as the "letdown" (???) from that claim makes people upset with the whole event.
How about no. The guy reporting it spread lies and FUD (no, this is not a 'no interaction RCE', it's not 'Linux' etc), hyped his CVEs, and pretended not to understand that cups - a very old, hairy codebase that has to do unpalatable things because of 0 driver support from manufacturers and maintained by a very small group of volunteers who get 0 credit because it's not a sexy project - is somehow horrible through incompetence or malice, rather than lack of volunteer time.
for decades i have marveled at how many exploits exist solely/entirely around the printer sub-device architecture ; ive been a computer builder/nerd for 30+ years and i have never had a printer connected to my home devices XD
It's definitely a great and fantastic find. It's just that Simone's tweet tried to suggest he found something that was equivalent (or worse) than Log4j and the fact is, no. Not even close. It's very big, just, a little bit overhyped.
@@Ether_Void Obviously. I'm sure we'll see this exploited in horizontal movements across networks. I've always applied the concept of minimizing attack surface within networks for just that reason. Also printers are the devil and this is just further proof.
and sort of summarizes what's wrong with this society of memes. Memes are a waste of time, are predictable, not so funny after a while. And yes I am very funny at parties and I am not the police. See what I did there?
Bluetooth has gotten really unsafe to use in my neighborhood. I had an ESP 32 device kick my headset, spoof the headset. set up a virtual LAN connection, and then started trying other vulnerabilities before i caught it. It spread to 2 other systems on my network. And started trying to exfiltrate data. Stay off bluetooth. Its not worth the convenience.
Just a little of history. The Foomatic interface emerged when there was a bit of competition over the printing standard on Linux: LPD, LPRNG and CUPS. Cups being the new kid on the block. The problem start that many printers do not have a drive for Linux or the closed drivers are worse than the open source ones (e.g. ghostscript). Other issues comes to the fact that many printers are are just a rebrand of another model and mapping what working with which was needed. So this is what the Linux Printing Database did and Foomatic came out of it (like a winehq`s database for apps). It started with a band-aid to get the printer to work on Linux and it is astonishing to find out that even today it has not being improved. Also worth mentioning that Cups was bought by Apple a long time ago and is branded as a Apple product.
cups-browsed is a desktop package, this doesn't affect servers at all. There's close to zero desktop linux PCs with a public IP. Even homelab/IoT devices are mostly behind NAT with certain ports open, certainly not UDP/631. That said; it's still a major backdoor for anyone already inside a LAN with Linux Desktops.
It's worse - it's a manager's scale. We know about managers. OMG, It's a 9.9 out of 10! Almost as bad as it can be! Panic, run over the women and children! We're staying late to fix this! We'll buy Chinese Food and a couple Pizzas. Call home, you're staying late. Only to find out you're probably not even running cups. If you are it's set to localhost. Even if they get through they can only define a printer - which someone would have to use to exploit. So not some attacker could do this. They'd need help or be within the organization. I manage a bunch of RHEL, Fedora, and some other machines. A couple of them had cups running. Localhost only. So it's probably a 5.0 - 7.1. Congrats on finding the bug. It needs attention. Don't lose sleep over it.
@@robertthomas5906who the fuck has CUPS set to localhost? Do you mean LAN? "Localhost" means it is hosted lically, i.e. on the same machine, but basically every printer in the past 1.5 decades has default network printing, and I can't recall a distro ever not having that work. So the requirements are, 1 : be on the same network as a target, 2 : name your "printer" "Save to PDF", 3 : profit
Before anything else, if it’s an exploit in cups, it’s not a vulnerability in every Linux system. For example, I run a server that doesn’t have cups installed because I removed it.
@@BlueEyesWhiteTeddy Okay thanks, I was just curious. It's like the name "Sasha" for Russian guys, the first time I heard this I was a bit confused but it's a very common name for males in Russia...
I don’t mind such a powerful print driver existing for compatibility reasons, but I think that everytime you use this printer it should show you that this powerful print driver is being used to execute this command ~ So then if you trust the printer you can still print with it, but it might make you double check.
This is absolutely a huge deal for government and enterprise sectors. They often purchase printers in bulk, so you can easily pick a name that won't raise any eyebrows. Especially in govt, where security can be atrocious. You just walk into a court building, sit down in the waiting area, connect to Wi-Fi, add yourself as a printer to every host you can reach and wait a few minutes. There are tons of paperwork constantly being printed out, so you very quickly get your code running on a machine that has access to a lot of court data, and can modify most of it as well. Want a fancy registration plate for your car? Go to DMV and do the same. Want your speeding tickets dropped? Go to your police department and just delete them from the system.
It's not big deal for governments. They have security plans in place and on that list is getting rid of things you don't need - such as a printing subsystem you'll never use. Every government place I've worked at they did the security and that was removed. If they don't care, sure it would be a problem and so would so many other things. Look under some keyboards. Do you see a password?
foomatic-rip had it's purpose a decade and a half ago, I remember those days. Printer manufacturers, other than HP, were being little twits and not even sharing postscript and capabilities used by their printers with open source devs and users. foomatic-rip allowed you to use printers not officially supported without a PPD file by using the PPD from a similar printer and tweaking it on the fly with the aforementioned tool.
Desktop distros yes. With the worst part being we want it there. This is what allows the "it just works" printing on Linux, and the printer appearing in the list part is expected behavior.
All I can think about is a workstation setup to print to the closest printer by default in an office. The worker printing probably prints 100 files a day, and never once looks at the printer they're using because it always goes to the closest printer. Just clicking through the popup with wrote memorization. I can see the same thing happening to a home user that only has one printer, and thus has never once looked at the "printer list" because it's never been populated. If it defaults to the attacking printer, both of these users would be screwed just for not assuming they have to look at their printer list every time they print.
the name RIP suggests it's about a Raster Image Processor. those are used between a computer and a large format plotter, basically a server that takes control of, e.g., color profile transformations like RGB->CMYK (the printer is CMYK and doesn't know what to do with RGB).
It converts postscript or pdf into the printers native raster format. The tool is less and less useful since Apple’s AirPrint and Google’s CloudPrint both decided on a PDF subset for print job submission.
foomatic-rip had it's purpose a decade and a half ago, I remember those days. Printer manufacturers, other than HP, were being little twits and not even sharing postscript and capabilities used by their printers with open source devs and users. foomatic-rip allowed you to use printers not officially supported without a PPD file by using the PPD from a similar printer and tweaking it on the fly with the aforementioned tool.
The thing ist, that an Linux 9 CVE Sounds Like a doomsday Szenario, but it does not if Servers (WHO are behind firewalls and never Print) are Not affected 😅
I would caution everybody to remember that this is the CVSS **base** score. CVSS base scores are calculated based on objective criteria of a vulnerability, it specifically does not include subjective or contextual criteria. CVSS provides for two additional scores that are a lot more subjective. The temporal score (which we could see on screen when you were looking at the base score, hasn't been evaluated or assigned yet, at least by the security vendor whose website you were looking at) considers how recent vulnerability is. Is it theoretical? Has there been a proof of concept? Is it known to be widely exploited? The last category is the environmental category that organizations are supposed to evaluate vulnerabilities against themselves. This category is entirely subjective and gives the context to a vulnerability. In this case for example, if an organization simply doesn't use cups on their systems, or if it does use cups and everything is firewalled off, the final score should be pretty low. If an organization runs lots of Linux as desktops in a call center or something and if an attacker could somehow get a device on that network, then I would expect the final score would be much higher.
It reminds me of this meme about tech workers having only a printers at home and no IOT devices but still keeping a gun close to it just in case it start making sounds you don't recognize 😅
Really wish there was a way to make future printers more or less universal or at least with a universal mode like if they all accepted some basic image or vector format and then all new printers would not need as much backwards compatibility to just do basic printing. Would be amazing if there were some form of human readable language that printers could support, something like LaTeX. Just something that does not require the user's machine to run some arbitrary code that is different for each printer, like a universal printer language.
I could imagine that the vulnerability could be exploited in networks that provide centralised printing. You can print arbitrary files there by design and to allow this, port 631 has to be open. So you have all the ingredients to run arbitrary code on the print server.
CUPS actually has a decent amount of internal privilege management ability. You can allow printing by anyone but only allow printer setup by authorized users. CUPS had advertise myself but ignore other adverts filtering at one point as well. It may be disabled by default now.
Ed I wish you would have talked about how to restrict access to cupsd. You mentioned that it's open to everyone by default but not how to restrict to local traffic only.
An actually useful attack vector utilizing this "feature" would be data smuggling from inside a company to outside of said company. A machine that normally does send print jobs starting to send a few more per day might not even get an "huh, that's strange" from most companies under paid/skilled IT personnel. Gain access to that machine just long enough to install your faux printer, a piece of code that simply sends a duplicate of every print job to a remote "printer" that is simply saving the output of that print to a file(like print to PDF). As long as the user never sees any interruption of their normal tasks they may never know they are an assailant data smuggler. The IT persons may not realize for a while, or ever, because the user is printing to a printer they installed and gave permission to.
I actually exploited it using Kali as the attacker and Ubuntu as the victim by just running nectat, the PoC script on Kali and just printed a picture from Ubuntu gave me a reverse shell
The fact that so man non-print servers have this package installed and running should make us worried about so many bad administrators leaving it open. I had to go double check mine cause you know.. mistakes happen.
10:42 The user has to print something using the printer definition that was created by the attacker. However, if the attacker knew the name of the existing printer definition, the user would not notice anything out of the ordinary.
So one key thing to note it seems is that they already need to be in your network for this to be done. So risky for public networks, not as bad if you've got your own private wifi. Although considering the last video was a router exploit issue, maybe shouldn't be too complacent.
So, just to clarify for myself, if I (roughly) understood how this works:
Attacker: Hi, I am a printer!
Victim: Hi, nice to meet you, what files can you print?
Attacker: I support the ThisIsAVirus format.
Victim: Oh, interesting. How do I decode that file format?
Attacker: It's super easy, barely an inconvenience, here you have the appropriate ExecuteThisVirus decoder.
Victim: Thanks, I will implement the ExecuteThisVirus decoder the next time I need to print something.
Thank you! Just saved me 13 minutes!
Best summary! Could be a children's book ❤
@@highdefinist9697 Does the attacker need to be at the victim’s house?
super easy! barely an inconvenience!
Love to start my day off with a random Ryan George reference, haha
printer autoconnects to new PC
normal person: oh cool
security researcher: *squints*
This gave me a good laugh and it's so true hahaha
4 Zero Days: *Starts Sweating*
This is why Windows is more secure. Printers just never work on it.
In truth, printer provides binary driver which is run as system on windows. Though it does try to find an uptodate one on windows update first, of which there are several with known vulnerabilities in them.
LOL
Even Windows 10 is good enough after End of Life guess I am holding off on the switch because even Linux isn't safe I knew for some reason I was being pulled back to Windows and suddenly this pops up.
@@TechnoMinded-qp5in On windows vulnerabilities happens everyday.
On Linux happens like every few months or years depending on how it gets detected.
That's why you see headlines everyday about vulnerabilities on windows than on linux. But there is already a fix for this vulnerability. So i dont think you should be worried but oh well.
@@TechnoMinded-qp5in you know I have this already patched on my linux systems, a similar issue has been known to exist in windows since 2021... it is 2024 now.
Released 25 years ago, approaching net security like it was still Arpanet days. Way to go CUPS!
And it's made by Apple, as well
To be fair, it's like that mostly because it has to support all the weird and/or obsolete shit that printers still do these days 😅
@@itskdog it might be the only major supporter left, but CUPS predates Apple's involvement by several years.
@@StephenSpencer1972 Oh, okay - I thought I'd seen in the web UI that it had a copyright apple disclaimer, so assumed it was entirely, or at least mostly, in-house designed for OS X, but that other BSDs and Linux took it on. as well.
RIP HP Printer. You didn't achieve much at all.
And nothing of value was lost
It doesn't deserve to rest in peace.
Rip could also mean "rest in pieces" which for hp, would be accurate xD
@@davester4545
*Cut to scene from Office Space
😢my dad's 15 year old hp printer still works fine
I will call this the '2 hackers 1 CUPS` CVE.
That is both disgusting and hilarious. I approve 👍
2 geeks 1 CUPS
OH NO, DON'T DO IT!!! NNNOOOOOO
gonna get some chocolate icecream now
This comment is definitely a 9.9
Wow, executing arbitrary commands *by design*.
Remember kids, never exec arbitrary code, unless you're a core part of the Linux kernel I guess, real "do as I say, not as I do" vibes lol
@@Imperial_Squid I thought this was userspace?
@@AlexSwanson-rw7cv It is. That file is still executed as the nobody user (some distros have a cups user). So the exploit is not dangerous by itself.
It can be the entry method for any other local attack thou..
@@framegrace1 cups is run as root on some systems
@@Imperial_Squid CUPS is not part of nor related to the Linux kernel.
I tried watching this video but I ran out of cyan
nah, just really really likes black
Need yellow to print the tracking dots
Tried switching to black&white, but still didn't allow it due to lack of cyan.
Brilliant 🤣🤣
But... the important question is of course... does this exploit work on Tuesdays?
@Uerdue considering you could use a print to pdf imposter yes
Only with OpenOffice
@@Yadobler Such an OOO scenario.
Probably works more often than my freaking printer does.
based
I feel a fun little honeypot idea coming up by setting up a dummy cups server, expose it publicly and see what kind of printers get added
You can even put it in the cloud. I heard that Azure data centers are routinely scanned by malicious actors, so if you put it in a VM there, someone might notice your dummy cups server and spend time to investigate (not sure if it was specifically SSH and RDP that were attacked or more things, though). Of course, other cloud providers may be in a similar situation, I just heard about it in the context of Azure.
...And as I'm watching this, my Mint updater pushes a CUPS update...
same😂😂
My Kubuntu snap store did the exact same
got mine last night
Fedora updated. Will check my Debian, Parrot and Steam Deck machines later.
My OpenBSD or my NetBSD machines don't have CUPS installed.
yep, ubuntu released patch yesterday, pretty sure other distros did too.
Any research with results and explained how they researched it deserves props.
I find it funny how the internet just assumes that businesses never expose unnecessary services to anybody in their networks or the internet and that your usual employee would never ever consider clicking messages away or use the wrong printer that magically appeared in their settings. Good luck!
I saw a lot of people dissing this because a user had to print and I was looking at face-palming. imagine a user seeing "use this printer!" in the printer list. at minimum one user is going to use it to print. and that's all it takes.
"Arm chair people assumes businesses."
@@deefdragon Most people *here* would just use that printer, myself included.
@@deefdragon even better - just copy the name of another boring printer you've found on the same network. Nobody will be surprised at all to see two printers with the same name.
@deefdragon I would 100% click the wrong printer at some point because I don't think I have ever used a printer when there weren't 10 people trying to ask me 100 questions about their technical issues.
I hope this gets a fix soon instead of everyone just disabling browsed, because IPP Everywhere (the stupidly-named protocol that enables this) is honestly the best thing to ever happen to printers for Linux users. It's basically a simple extension of IPP that instead of just allowing the printer to advertise itself but still need a vendor-specific driver unless it's some huge PostScript-enabled office machine, there's now a standard raster format printers are required to support that uses a driver that CUPS has built in. This isn't even a new thing - a large number of network printers have implemented it for well over a decade now, but software support only started appearing recently. Of course, the entire point of the protocol is that the printer doesn't need to instruct CUPS to execute any specific commands, just advertise support for a data format that it already knows how to handle, so it may be enough to just block foomatic-rip execution for PPDs loaded from the network (it sounds like the feature can't be removed altogether, but other use cases would involve a PPD provided by a locally-installed driver package that is more trusted).
Well the PPDs can be pre-generated rather than tweaked on the fly from a similar one using foomatic-rip...or maybe the list of executables can be narrowed to only the GNU string manipulation tools needed. After 15+ years there's more than enough historical data to figure this out.
Someone shared this on discord and most people were sceptical. I just knew the LLL video would be a great summary, so I am here now. thanks!
im currently taking cybersecurity classes and i cannot explain how happy i got understanding what CVSS actually means
thank you for these videos btw!
This is pretty bad for places where you are already on the network like universities. You'll hop on to other systems from your primary ingress point.
Gotta say, cups has been a bit of an operational nightmare since its birth back in the 90's. The "solution" I used for a 400+ seat engineering lab I used to run: all printers are directly attached to a physically separate internal (edit: device management) network. Printers are statically defined on one or more print servers that have access to that internal network. No printer discovery in play. It was a curious-but-bad idea in 2002. Its less curious but every bit as bad of an idea today.
(apologies in advance for choir-directed preaching)
It's cool that you're giving props to the researcher that did this work. Beyond the severity overstatement, I do have to take several deep breaths to quiet the... irritation with the click-baity announcement. It's not only a disingenuous finger pointed at Linux, but it also obscures the (if you know, you know, otherwise..) fact that cups can be run on nearly any device that has an IP stack. Think of all the *BSD, windows and OSX users that thought they were off the hook.
Clarify, that script is executed as whatever the cups daemon user is. (nobody on most places). So all it does by itself, at most, is to execute a random script as the same user as the cups daemon. This is usually the first stage of an ownage, but just to clarify.
It seems that in computer security research, as in science, the most exciting phrase isn't "Eureka!", but "Huh… that's odd."
If you're ever in the market for a printer, get a brother. Those things are so easy to use and they just work no matter the OS, except Android which requires mopria, but that's just android being weird.
I had my printer up and running within 10 minutes and that was it. No custom bloatware or Linux incompatibility.
I can't rate my experience with brother highly enough.
The only silly thing is that it makes my power flicker when it runs but I just unplug the printer when im not using it.
If you dont use color then get a b+w laser printer. If you only print color once every 5 years you can just go to a store and get it printed, the $.15 a page or whatever will likely be cheaper than buying color ink anyways, or you can get a color lazer printer by brother, so you dont have to waste ink because toner doesnt dry out.
Instructions unclear, parents got me a sister instead
Eh works fine for me on android without such
I agree. I used to recommend HP because they were reliable and supported FLOSS print systems but with all their scammy anti-repair and ink-refill activities brother is a good choice. I like how their inkjet cartridges have a vaccuum-seal so, unlike certain aforementioned competitors, they don't dry out quickly if printing activity is sparse.
Another big advantage of Brother laser printers (no point in getting inkjet in 2024) is that they happily take 3rd party toner and drums, and their own toner/drums are reasonably priced.
Get OKI colored laser printer, they have (or at least use to have) the installed "test" cartridges without any DRM chips and you can do reset, including the page counter in the service menu. Even if you don't reset anything, they print even if "you are out of toner" (with a warning). Only annoing thing about colored laser printers is the fingerprinting by printing yellow dots...(thanks USA money laws)
Me and my product manager just talked about implementing a cve tracker for our custom cups project and thought it was low priority xD. The timing
While reading the blog before most of the technical stuff went over my head but i did understood that the attacker needed to disguide the system as printer using port 631 and the vitcim needs to use it for it to work, so 9.9 CCVE obv didn't made any sense for a normal user however it does make sense for companies where there are more printers and its easier to disguise… and a company would also be the one to take the most damage of off the attack…
Although it is indeed overhyped and none of my Debian servers are affected, Ubuntu is affected by default and the word "Ubuntu" showed up over 150 times in our on-prem server list. What a day
@@harrytsang1501 Is Ubuntu Server affected by default? Mine don't have any cups on, though maybe I deselected it on install or removed it at some point...
Ubuntu server didn't seem to have it. My non server debian boxes did have it. I'm not worried about servers. I'm worried about weird embedded systems. Like PoS machines.
Given the nature of the vuln, it's more if it is listening on port 631. Since it sounds like you're in a corporate environment I'm going to assume you have a firewall for all of those servers. Meaning all you have to do is check the firewall rules.
I like that the author of the article talks about a Part II or even a Part III.
I could see state actors being VERY interested in this exploit or maybe even already using it for a long time
Something like the recent supply chain attack by Israel comes to mind: Set up a proxy company that sells printers with modified firmware and your victim even invites you in
@@BobDerFlossmeister How many high value targets of state sponsored actors are running Linux??
@@johnpeterson9152 If Android is vulnerable...
@@johnpeterson9152 Businesses and infrastructure mostly, not _individuals_ exactly.
Very well said. Curiosity and questioning things are very important to find such issues.
Hey you guys remember that PrinterNightmare exploit for windows that was discovered in 2021? Yeah its still vulnerable...
Is it? Is it really? I’m asking sarcastically because I know you don’t know what you’re talking about.
@@o0Donuts0o Oh look its the àùťîśm hour I guess. Who invited you?
sooo, it's not a linux bug, it is a cups bug. majority of servers does not have cups installed. this was hyped like it was a RCE in the kernel.
No one is mentioning that CUPS was bought by Apple about 15 years ago. Thanks apple for that. The guy that was maintaining it departed Apple for his own company. So cups has been stagnant ever since. IMHO, this may be part of Simone's problem. The brain departed. Nobody to maintain it.
Exactly. Nice exploit chain, lots of interesting stuff, then the guy goes "zomg Linux is one giant security hole and no one cares!", knowing full well that cups has nothing to do with Linux other than it runs on it (and on pretty much all other posixy systems). Lost all the cool points immediately. Not to mention, this isn't a commercial vendor, it's a small group of volunteers maintaining a very old, hairy codebase that has to deal with printer manufacturers not supporting anything other than windows.
thank you for the great explanation!
Another way I can see to exploit this potentially is to become their printer, tee that to the real one and capture the data. One client I have thinks it's super convenient to copy-paste their credit card numbers, and those of their customers, into lots of forms and spreadsheets. They print these. Identifying as a printer might not be so harmless. edit: This is not behind their main firewall for automation systems, it's front office and basically unlocked because derps work in there.
The problem I have with what Simone posted is less about the CVSS score and more about saying it affects *all* GNU/Linux systems. This implied to many people that it was a kernel-level RCE. Once it came out that it was CUPS I went from having to panic about all of my Linux systems down to disabling CUPS on my laptop. That bottom paragraph says to me that he posted that X/Twitter out of frustration in dealing with the devs who were dragging their feet to try and light a fire, but now it's getting him unfairly roasted.
"Unfairly"? Completely deserved.
A very helpful walkthrough of what's involved here. I've been a printer-support person at my college for many years, and due to that I'm quite aware that CUPS is a mess wrt security. I just did a quick check, and of some 220 linux hosts that I have some responsibility for, about six *might* be effected by this. And I think only one of those needs to have CUPS running at all.
Good work by the security-researcher guy. It's a shame that this got pre-announced as 9.9, as the "letdown" (???) from that claim makes people upset with the whole event.
The biggest thing I learnt here is how NOT to interact with the software security community.
^ this.
Yep. A disclosure written as a FU idiots post. Looked immature.
How about no. The guy reporting it spread lies and FUD (no, this is not a 'no interaction RCE', it's not 'Linux' etc), hyped his CVEs, and pretended not to understand that cups - a very old, hairy codebase that has to do unpalatable things because of 0 driver support from manufacturers and maintained by a very small group of volunteers who get 0 credit because it's not a sexy project - is somehow horrible through incompetence or malice, rather than lack of volunteer time.
exactly. it was unprofessional
@@paulie-g okay, sure i'll grant that that's true.. _but_ all those can be genuine mistakes, *and* they don't deserve harassment for it
for decades i have marveled at how many exploits exist solely/entirely around the printer sub-device architecture ; ive been a computer builder/nerd for 30+ years and i have never had a printer connected to my home devices XD
We should just drop the number rating from CVE's. It's utterly pointless at this point.
although you got the name pronunciation wrong😅 ( search for the Italian pronunciation of the Italian name Simone), great explanation !! thanks❤
Very cool
I guessed he was Italian, cool
Could have been a female, Simone is a common female name in Scandinavia
In german it'd be a female name
@@alphadexxa In Italian Simone is for male, while Simona or Simonetta is for female.
It's definitely a great and fantastic find.
It's just that Simone's tweet tried to suggest he found something that was equivalent (or worse) than Log4j and the fact is, no. Not even close.
It's very big, just, a little bit overhyped.
the meme implementation of this article is par excellence and made me laugh
no man i'm watching because i'm addicted to your channel
THANK YOU for using a video title that actually describes the video ❤
If you open/forward ports for services only intended for LAN use, you deserve this exploit.
@@mawnkey You shouldn't blindly trust the LAN either. This would be a very easy way to hop from one infected client to another.
@@Ether_Void Obviously. I'm sure we'll see this exploited in horizontal movements across networks. I've always applied the concept of minimizing attack surface within networks for just that reason.
Also printers are the devil and this is just further proof.
If you open 631/tcp port from all over internet and allow unauthenticed traffic, you are made a mistake.
You think no-one ever got hacked as long as they had a basic network-level packet-filtering firewall? Geeze.....
@2m45s netstat told me that there's nothing listening on UDP port 361 so I'm totally safe 😁
@@chocolate_squiggle Well, it's a good start.
@@chocolate_squiggle I can't see where he said he thought that 😆
It's not tcp. It's a udp port. That's right, udp. I know, right?
5:00 no CVE writeup is complete without a meme .jpg inserted in there somewhere 😂
and sort of summarizes what's wrong with this society of memes. Memes are a waste of time, are predictable, not so funny after a while. And yes I am very funny at parties and I am not the police. See what I did there?
@@FamilyRUclipsTV-x6d everyone is a comedian nowadays
@@FamilyRUclipsTV-x6d You must be so fun at par---aw dang it
Bluetooth has gotten really unsafe to use in my neighborhood.
I had an ESP 32 device kick my headset, spoof the headset. set up a virtual LAN connection, and then started trying other vulnerabilities before i caught it. It spread to 2 other systems on my network. And started trying to exfiltrate data.
Stay off bluetooth. Its not worth the convenience.
Amazing breakdown. Thank you for the summary
Always an intelligent explanation of unintelligent software mistakes.
Just a little of history.
The Foomatic interface emerged when there was a bit of competition over the printing standard on Linux: LPD, LPRNG and CUPS.
Cups being the new kid on the block.
The problem start that many printers do not have a drive for Linux or the closed drivers are worse than the open source ones (e.g. ghostscript).
Other issues comes to the fact that many printers are are just a rebrand of another model and mapping what working with which was needed.
So this is what the Linux Printing Database did and Foomatic came out of it (like a winehq`s database for apps).
It started with a band-aid to get the printer to work on Linux and it is astonishing to find out that even today it has not being improved.
Also worth mentioning that Cups was bought by Apple a long time ago and is branded as a Apple product.
Turns out a feature I've known for years is a security bug. 🎉
Same lol.
I do enjoy the memes mid explanation, it keeps me engaged
cups-browsed is a desktop package, this doesn't affect servers at all. There's close to zero desktop linux PCs with a public IP. Even homelab/IoT devices are mostly behind NAT with certain ports open, certainly not UDP/631.
That said; it's still a major backdoor for anyone already inside a LAN with Linux Desktops.
"fuzzing is when you scream at a program and see what happens"
that's such a good description oh my god
Your printer impersonations are spot on!
I love the idea that fuzzing is just screaming at code and seeing what bugs crawl out
stop clickbaiting cvss scores, they're meaningless without the context of what the software is and who the user is. it's not a damn richter scale
Not even the richter scale is the what you think the richter scale is
It's worse - it's a manager's scale. We know about managers.
OMG, It's a 9.9 out of 10! Almost as bad as it can be! Panic, run over the women and children! We're staying late to fix this! We'll buy Chinese Food and a couple Pizzas. Call home, you're staying late.
Only to find out you're probably not even running cups. If you are it's set to localhost. Even if they get through they can only define a printer - which someone would have to use to exploit. So not some attacker could do this. They'd need help or be within the organization.
I manage a bunch of RHEL, Fedora, and some other machines. A couple of them had cups running. Localhost only. So it's probably a 5.0 - 7.1. Congrats on finding the bug. It needs attention. Don't lose sleep over it.
I mean, that is *_literally_* it's point. Is it misused? Absolutely, but it's entire job is to give a score for how bad it is.
@@robertthomas5906who the fuck has CUPS set to localhost? Do you mean LAN? "Localhost" means it is hosted lically, i.e. on the same machine, but basically every printer in the past 1.5 decades has default network printing, and I can't recall a distro ever not having that work.
So the requirements are, 1 : be on the same network as a target, 2 : name your "printer" "Save to PDF", 3 : profit
It's not clickbait. It's technical opinion difference on how stupid simple this exploit is
Thanks for the update. I heard Steve Gibson briefly speaking about this. Curious what he has to say about it on his next show.
Before anything else, if it’s an exploit in cups, it’s not a vulnerability in every Linux system. For example, I run a server that doesn’t have cups installed because I removed it.
Thanks for the heads-up, buttoned by CUPS'es up.
Loved watching you live with the primeagen. I need more cyan 😂😂😂
Y'all know Simone is the guy that gave us Bettercap & Pwnagotchi, right?
Is it really a guy? In french "Simone" is a very female name.
@@Alfred-Neuman In English too. But different languages are different.
@@Alfred-Neuman i looked it up. He's italian and in italian Simone is masculine pronounced using 3 syllables.
@@BlueEyesWhiteTeddy
Okay thanks, I was just curious. It's like the name "Sasha" for Russian guys, the first time I heard this I was a bit confused but it's a very common name for males in Russia...
@@thewhitefalcon8539
Yep, that's why I was asking... ;)
Apparently he's Italian.
(The more you know)
I don’t mind such a powerful print driver existing for compatibility reasons, but I think that everytime you use this printer it should show you that this powerful print driver is being used to execute this command ~
So then if you trust the printer you can still print with it, but it might make you double check.
Never saw the tweet. I'm subscribed! 😎
I love his dedication to memes
This is absolutely a huge deal for government and enterprise sectors. They often purchase printers in bulk, so you can easily pick a name that won't raise any eyebrows. Especially in govt, where security can be atrocious.
You just walk into a court building, sit down in the waiting area, connect to Wi-Fi, add yourself as a printer to every host you can reach and wait a few minutes. There are tons of paperwork constantly being printed out, so you very quickly get your code running on a machine that has access to a lot of court data, and can modify most of it as well.
Want a fancy registration plate for your car? Go to DMV and do the same. Want your speeding tickets dropped? Go to your police department and just delete them from the system.
Well, one would hope public wifi in court buildings (and your other examples) doesn't allow access to internal networks where printers are attached.
@@chocolate_squiggle yeah, but it's a slim hope. People in IT dept are probably not paid enough to actually care
@@chocolate_squiggle You'd be surprised how crap government IT is.
It's not big deal for governments. They have security plans in place and on that list is getting rid of things you don't need - such as a printing subsystem you'll never use. Every government place I've worked at they did the security and that was removed.
If they don't care, sure it would be a problem and so would so many other things. Look under some keyboards. Do you see a password?
@@robertthomas5906 I'm struggling to think of a govt department that doesn't need to print a ton of paperwork every day
Ah, yes! foomatic-rip the state mandated backdoor.
Well, it has RIP in the name ...
foomatic-rip had it's purpose a decade and a half ago, I remember those days. Printer manufacturers, other than HP, were being little twits and not even sharing postscript and capabilities used by their printers with open source devs and users. foomatic-rip allowed you to use printers not officially supported without a PPD file by using the PPD from a similar printer and tweaking it on the fly with the aforementioned tool.
@@JPs-q1o My brother!
It's a serious exploit, but not a 9.9. A firewall can stop the attack. Does every distribution run cups by default?
Desktop distros yes. With the worst part being we want it there. This is what allows the "it just works" printing on Linux, and the printer appearing in the list part is expected behavior.
Yes, but my Arch install wasn't listening on udp:631 and, obviously, any sane person has a deny-all rule in their *tables.
Simone's done a great job.
All I can think about is a workstation setup to print to the closest printer by default in an office. The worker printing probably prints 100 files a day, and never once looks at the printer they're using because it always goes to the closest printer. Just clicking through the popup with wrote memorization. I can see the same thing happening to a home user that only has one printer, and thus has never once looked at the "printer list" because it's never been populated. If it defaults to the attacking printer, both of these users would be screwed just for not assuming they have to look at their printer list every time they print.
The crazy thing to me is that Ubuntu firewall is not enabled by default. 🥴😳
I am waiting to see more on the Avahi bugs that were mentioned
the name RIP suggests it's about a Raster Image Processor. those are used between a computer and a large format plotter, basically a server that takes control of, e.g., color profile transformations like RGB->CMYK (the printer is CMYK and doesn't know what to do with RGB).
It converts postscript or pdf into the printers native raster format. The tool is less and less useful since Apple’s AirPrint and Google’s CloudPrint both decided on a PDF subset for print job submission.
foomatic-rip had it's purpose a decade and a half ago, I remember those days. Printer manufacturers, other than HP, were being little twits and not even sharing postscript and capabilities used by their printers with open source devs and users. foomatic-rip allowed you to use printers not officially supported without a PPD file by using the PPD from a similar printer and tweaking it on the fly with the aforementioned tool.
Nice overview!
Need Simone attitude in my life
I am increasingly convinced there are parts of Linux and the open source ecosystem that have never received serious security scrutiny.
CUPs is from a time when finding the phone number for a system gave you full access to it
"i have a printer and it's location it's in your butt" didn't expect that. 😂
The thing ist, that an Linux 9 CVE Sounds Like a doomsday Szenario, but it does not if Servers (WHO are behind firewalls and never Print) are Not affected 😅
Odd that the distributions not firewall-zone the port to local network 12:20 you sure it’s reachable by default? Did you turn your host firewall off?
I would caution everybody to remember that this is the CVSS **base** score. CVSS base scores are calculated based on objective criteria of a vulnerability, it specifically does not include subjective or contextual criteria. CVSS provides for two additional scores that are a lot more subjective.
The temporal score (which we could see on screen when you were looking at the base score, hasn't been evaluated or assigned yet, at least by the security vendor whose website you were looking at) considers how recent vulnerability is. Is it theoretical? Has there been a proof of concept? Is it known to be widely exploited?
The last category is the environmental category that organizations are supposed to evaluate vulnerabilities against themselves. This category is entirely subjective and gives the context to a vulnerability. In this case for example, if an organization simply doesn't use cups on their systems, or if it does use cups and everything is firewalled off, the final score should be pretty low. If an organization runs lots of Linux as desktops in a call center or something and if an attacker could somehow get a device on that network, then I would expect the final score would be much higher.
It reminds me of this meme about tech workers having only a printers at home and no IOT devices but still keeping a gun close to it just in case it start making sounds you don't recognize 😅
Printers never worked on my on Windows or MacOS, but always do work perfectly fine on Linux. :)
Really wish there was a way to make future printers more or less universal or at least with a universal mode like if they all accepted some basic image or vector format and then all new printers would not need as much backwards compatibility to just do basic printing. Would be amazing if there were some form of human readable language that printers could support, something like LaTeX. Just something that does not require the user's machine to run some arbitrary code that is different for each printer, like a universal printer language.
This is interesting - both the computing and the human dynamics 😂
as an arch user without a printer, i dont have this
as an arch user, you have fulfilled your EULA mandate to inform the greater public, that you are in fact, an arch user.
@@Jack-vk5ko it's in the EULA, can confirm
@@Jack-vk5ko I have a Steam Deck, does that count as using Arch?
@@the-answer-is-42Yes technically as it is based on it
@@the-answer-is-42 The answer to which you seek is on Slide 4 of the FileSystem / Rust powerpoint, you didn't see it?.
I could imagine that the vulnerability could be exploited in networks that provide centralised printing. You can print arbitrary files there by design and to allow this, port 631 has to be open. So you have all the ingredients to run arbitrary code on the print server.
CUPS actually has a decent amount of internal privilege management ability. You can allow printing by anyone but only allow printer setup by authorized users. CUPS had advertise myself but ignore other adverts filtering at one point as well. It may be disabled by default now.
Ed I wish you would have talked about how to restrict access to cupsd. You mentioned that it's open to everyone by default but not how to restrict to local traffic only.
Soooo, somebody at a CVE actively put out a bug somebody else found… probably out of spite. Very professional and safe.
An actually useful attack vector utilizing this "feature" would be data smuggling from inside a company to outside of said company. A machine that normally does send print jobs starting to send a few more per day might not even get an "huh, that's strange" from most companies under paid/skilled IT personnel. Gain access to that machine just long enough to install your faux printer, a piece of code that simply sends a duplicate of every print job to a remote "printer" that is simply saving the output of that print to a file(like print to PDF). As long as the user never sees any interruption of their normal tasks they may never know they are an assailant data smuggler. The IT persons may not realize for a while, or ever, because the user is printing to a printer they installed and gave permission to.
I actually exploited it using Kali as the attacker and Ubuntu as the victim by just running nectat, the PoC script on Kali and just printed a picture from Ubuntu gave me a reverse shell
Thank you for the instrument
The fact that so man non-print servers have this package installed and running should make us worried about so many bad administrators leaving it open. I had to go double check mine cause you know.. mistakes happen.
10:42 The user has to print something using the printer definition that was created by the attacker. However, if the attacker knew the name of the existing printer definition, the user would not notice anything out of the ordinary.
LL was The Printer this whole time.
foomatic raster image processor lets you convert pdfs to pixel base images for printing yer stuff out
thanks for sharing, nice video
I was waiting for that!
No printer was harmed during the recording of this video
The affected version is 7 years old 2.0.1 released 2016. Ubuntu still ships it in a recent LTS...
So one key thing to note it seems is that they already need to be in your network for this to be done. So risky for public networks, not as bad if you've got your own private wifi. Although considering the last video was a router exploit issue, maybe shouldn't be too complacent.