If you’ve cast a half-glazed eye over Linux social media feeds at some point in the past few days you may have caught wind that a huge Linux security flaw was about to be disclosed.
And today it was: a remote code execution flaw affecting the CUPS printing stack used in most major desktop Linux distributions (including Ubuntu, and also Chrome OS). With a severity score of 9.9 it’s right at the edge of the most severe vulnerabilities possible.
The details?
“At its core, the vulnerability is exploited by tricking CUPS into generating an attacker-controlled PPD (PostScript Printer Description) file for a printer containing an arbitrary command,” Canonical explains in on its security blog.
“Whenever the next print job is sent to the printer in question, the command will be executed as the lp user (this is the user that the CUPS daemon runs as and, barring other exploitable vulnerabilities, would not have escalated privileges).”
Many headline-grabbing security vulnerabilities found, patched, and disclosed often affect specific hardware or configurations, or require some ne’er-do-well to have physical access to your machine.
So I’m reading that thinking: “no worries! ain’t no-one gonna trick a printing service on my computer into doing things without me knowing…”
But Simone Margaritelli, who uncovered the flaw and had to battle to get it taken seriously, explains in a (very detailed) write up on his blog that this can be done silently, remotely, within authentication.
On the internet “a remote attacker sends an UDP packet to port 631. No authentication whatsoever,” or on a LAN, “spoofs zeroconf / mDNS / DNS-SD advertisements”.
Red Hat breaks down the chain step-by-step:
- The cups-browsed service is manually enabled or started
- Attacker has access to a vulnerable server, which:
- Allows unrestricted access, such as the public internet, or
- Gains access to an internal network where local connections are trusted
- Attacker advertises a malicious IPP server, thereby provisioning a malicious printer
- A potential victim attempts to print from the malicious device
- Attacker executes arbitrary code on victim’s machine
And this has been possible for… years? Crikey.
But don’t panic!
The first bit of good news is that if you use a firewall or NAT router that blocks the affected port you would (presumably) never have been vulnerable.
The second bit of good news is Canonical’s security team has now issued critical security updates for the cups-browsed, cups-filters, libcupsfilters and libppdpackages affected. These updates are rolling out to all supported Ubuntu releases today.
The aforelinked coverage is worth reading for more background, but also context. Canonical’s coverage is reassuring but Simone, who uncovered the flaw, highlights the difficulty in trying to get those whose packages are affected to acknowledge there’s a problem in the first place.
Even if the flaw is gaping wider than a muppet’s mouth.
On CUPS he concludes: “I’ve seen and attacked enough of this codebase to remove any CUPS service, binary and library from any of my systems and never again use a UNIX system to print. I’m also removing every zeroconf / avahi / bonjour listener.”
No doubt lots of other knowledge folks are offering technical breakdowns and analysis on social media so so if you’re super-keen to learn more …I would say search for the term ‘CUPS’ but I was using the internet in 2006, so …Do not do that.
Anyway, go and install the security patches Canonical has pushed out (if you have unattended upgrades enabled they will probably be installed already), then give your machine reboot to ensure everything clicks in to place properly.
Next time I send something to print from Ubuntu I may just double-check my system processes once the job is done…