Path: ...!news.roellig-ltd.de!news.mb-net.net!open-news-network.org!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: -hh Newsgroups: comp.os.linux.advocacy Subject: Re: 9.9/10 security vulnerability affecting Linux (and others) set to be revealed on October 6th Date: Fri, 27 Sep 2024 13:05:59 -0400 Organization: A noiseless patient Spider Lines: 235 Message-ID: References: <2O1JO.214184$FzW1.145017@fx14.iad> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Injection-Date: Fri, 27 Sep 2024 19:05:59 +0200 (CEST) Injection-Info: dont-email.me; posting-host="847d01ba9e0c452dfcb9045efda32f65"; logging-data="775560"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+PyZxhZvnAilttlc8tc7luiGJ5KqZDw5A=" User-Agent: Mozilla Thunderbird Cancel-Lock: sha1:X/NFpAgiTIDIHMWEKaWkmDFdx84= Content-Language: en-US In-Reply-To: Bytes: 11375 On 9/27/24 8:40 AM, CrudeSausage wrote: > On 2024-09-27 12:17 a.m., RonB wrote: >> On 2024-09-26, CrudeSausage wrote: >>> On 2024-09-26 12:03 a.m., RonB wrote: >>>> On 2024-09-26, CrudeSausage wrote: >>>>> Worse than Heartbleed, Meltdown or Spectre. According to a GitHub >>>>> developer: >>>>> >>>>> "From a generic security point of view, a whole Linux system as it is >>>>> nowadays is just an endless and hopeless mess of security holes >>>>> waiting >>>>> to be exploited." (kind of like Chris Ahlstrom's body) >>>>> >>>>> >>>> >>>> Yet another "catastrophic" Linux security threat that will be fixed >>>> within >>>> days. >>> >>> They're working on it and so far coming up with no way of fixing it. I >>> wouldn't be surprised if there is no solution by October 6th. If that is >>> the case, you just know that bad actors will be attacking Linux >>> relentlessly from October 7th on. This looks like the real deal. 9.9/10 >>> is pretty serious when you consider that the aforementioned issues were >>> rated between 5 and 7 on 10. >>> >>>> You realize that Cyber Security News makes their case for existence by >>>> hyperventilating about potential "catastrophic" security threats, >>>> right? >>> >>> Perhaps, but the developers on GitHub have been freaking out as well to >>> a point that Lunduke felt it necessary to bring this problem to light. >>> Those developers are usually arrogant about their ability to fix such >>> issues, not this time. >> >> Interestingly enough, since this works through the CUPS system On >> Unix-based >> machines, this also affects MacOS. Odd Cyber Security News didn't mention >> that little factlet. >> >>     Summary >> >>     The first of a series of blog posts has been published detailing a >>     vulnerability in the Common Unix Printing System (CUPS), which >>     purportedly allows attackers to gain remote access to UNIX-based >> systems. >>     The vulnerability, which affects various UNIX-based operating >> systems, >>     can be exploited by sending a specially crafted HTTP request to >> the CUPS >>     service. >>     Threat Topography >> >>        Threat Type: Remote code execution vulnerability in CUPS service >>        Industries Impacted: UNIX-based systems across various industries, >>        including but not limited to, finance, healthcare, and government >>        Geolocation: Global, with potential impact on UNIX-based systems >>        worldwide >>        Environment Impact: High severity, allowing attackers to gain >> remote >>        access and execute arbitrary code on vulnerable systems >> >>     Overview >> >>     X-Force Incident Command is monitoring what claims to be the first >> in a >>     series of blog posts from security researcher, Simone Margaritelli, >>     detailing a vulnerability in the Common Unix Printing System (CUPS), >>     which purportedly can be exploited by sending a specially crafted >> HTTP >>     request to the CUPS service. The vulnerability affects various >> UNIX-based >>     operating systems, including but not limited to, Linux and macOS. The >>     vulnerability can be exploited to gain remote access to affected >> systems, >>     allowing attackers to execute arbitrary code and potentially gain >>     elevated privileges. X-Force is investigating the disclosure and >>     monitoring for exploitation. We will continue to monitor this >> situation >>     and provide updates as available. >> >>     Key Findings >> >>        The vulnerability affects various UNIX-based operating systems, >>        including but not limited to, Linux and macOS >>        All versions of Red Hat Enterprise Linux (RHEL) are affected, >> but are >>        not vulnerable in their default configurations. >>        The vulnerability can be exploited by sending a specially >> crafted HTTP >>        request to the CUPS service >>        The vulnerability allows attackers to gain remote access to >> affected >>        systems and execute arbitrary code >>        The vulnerability has been identified as high severity, with >> potential >>        for significant impact on affected organizations >> >>     Mitigations/Recommendations >> >>        Disable the CUPS service or restrict access to the CUPS web >> interface >>        In case your system can’t be updated and you rely on this service, >>        block all traffic to UDP port 631 and possibly all DNS-SD traffic >>        (does not apply to zeroconf) >>        Implement additional security measures, such as network >> segmentation >>        and access controls, to limit the spread of the vulnerability >>        Conduct thorough vulnerability assessments and penetration >> testing to >>        identify and remediate any other potential vulnerabilities >>        Implement robust incident response and disaster recovery plans to >>        mitigate the impact of a potential breach >> >> https://securityintelligence.com/news/fysa-critical-rce-flaw-in-gnu- >> linux-systems/ >> >> And this... >> >>     That doomsday critical Linux bug: It's CUPS. May lead to remote >> hijacking >>     of devices >> >>     No patches yet, can be mitigated, requires user interaction >>     Thu 26 Sep 2024 // 17:34 UTC >>     Final update After days of anticipation, what was billed as one or >> more >>     critical unauthenticated remote-code execution vulnerabilities in all >>     Linux systems was today finally revealed. >> >>     In short, if you're running the Unix printing system CUPS, with >>     cups-browsed present and enabled, you may be vulnerable to attacks >> that >>     could lead to your computer being commandeered over the network or >>     internet. The attacks require the victim to start a print job. Do >> not be >>     afraid. >> >>     The bugs were found and privately reported by software developer >> Simone >>     Margaritelli who has now openly disclosed the security weaknesses in >>     detail here. This write-up is said to be part one of two or maybe >> three, >>     so expect more info at some point. >> >>     He went public today at 2000 UTC after seemingly becoming >> frustrated with >>     the handling of his vulnerability reports by CUPS developers. No >> patches >>     are available yet. Public disclosure was previously expected to be no >>     later than September 30. >> >>     What you need to know for now, according to Margaritelli, is: >>       Disable and/or remove the cups-browsed service. >> >>       Update your CUPS installation to bring in security updates if or >> when >>       available. >> >>       Block access to UDP port 631 and consider blocking off DNS-SD, too. >> >>       It affects "most" Linux distros, "some" BSDs, possibly Google >> ChromeOS, >>       Oracle's Solaris, and potentially others, as CUPS is bundled with >>       various distributions to provide printing functionality. >> >>       To exploit this across the internet or LAN, a miscreant needs to >> reach >>       your CUPS service on UDP port 631. Hopefully none of you have that >>       facing the public internet. The miscreant also has to wait for >> you to >>       start a print job. >> >>       If port 631 isn't directly reachable, an attacker may be able to >> spoof >>       zeroconf, mDNS, or DNS-SD advertisements to achieve exploitation. ========== REMAINDER OF ARTICLE TRUNCATED ==========