Why is it always the printers?
If you’ve been keeping up with cybersecurity news, you might have heard about a serious vulnerability affecting UNIX systems through the Common Unix Printing System (CUPS). The vulnerability has initially been assigned a severity rating of 9.9 out of 10 which falls into the ‘Critical’ category of the Common Vulnerability Scoring System (CVSS). Let’s break down what this means and why it’s something you should be aware of.
What’s Happening?
The issue revolves around a component called cups-browsed
, which is responsible for discovering and adding network printers automatically. The problem is, it’s a little too trusting right now. This component listens on a specific network port (UDP port 631) and accepts packets from anyone without verifying where they’re coming from.
Why Should You Care?
Here’s why this is a big deal:
- Remote Exploitation: An attacker can send specially crafted packets to your system, and if you’re using
cups-browsed
, they might be able to execute commands on your machine without you knowing. - No Authentication Required: This isn’t something that requires a username and password. The attacker doesn’t need any special access—they just need to know your system is out there and running this service.
- Widespread Impact: This isn’t limited to just a few users. It affects most UNIX systems that have CUPS installed, which means a lot of people are potentially at risk.
Which OSs are affected?
According to evilsocket the following OSs are/could be affected:
- most GNU/Linux distributions
- macOS
- some BSDs
- Google Chromium / ChromeOS in some cases
- Oracle Solaris
- Possibly others
There are potentially hundreds of millions of devices running the CUPS service that could be attacked.
Want $250 and a free tool that guarantees you save money on your AWS Bill? Sign up to Pump.co today to see how much you could save.
What Can Go Wrong?
If this vulnerability is exploited, an attacker could:
- Install or replace printers with malicious entries that could:
- Execute commands with the same privileges as the CUPS service.
- Intercept or manipulate print jobs.
Being able to execute commands on remote devices is a big scary deal! An attacker could gain full control of your machine, steal data, deploy malware, use this entry-point to gain access to other systems on your network, install surveillance software such as keyloggers, and much more.
What Should You Do?
- Disable
cups-browsed
: If you don’t need network printing, just disable and remove this service. Most users don’t need it running all the time, and turning it off will close this vulnerability. - Update Your System: Make sure your CUPS software is up-to-date. Developers are working on patches, so keeping your system updated is crucial.
- Network Precautions: Block UDP port 631 if you can’t update or disable the service right away. This will help prevent external access.
The Bottom Line
This vulnerability is a reminder that even seemingly harmless services like printing can become security risks if not properly managed. For a more technical dive into the issue, check out the original analysis on EvilSocket (it’s very thorough, if a little sweary…).
I’ve never liked printers.
Thank you Joe for this useful and practical summary!