the new "9.9" Severity Linux Vunlerability
Summary
TLDRIn this video, Eric discusses a severe 9.9 CVSs vulnerability in the Common Unix Printing System (CUPS), affecting Linux and Unix systems. The flaw allows remote attackers to execute arbitrary code by adding a malicious printer. Despite being less severe than Eternal Blue, it's still concerning due to its broad impact and the challenges faced in disclosing it. Eric also touches on the developer's initial response, the potential risks of default configurations, and the importance of patches and firewalls.
Takeaways
- 🐧 The CVSS 9.9 vulnerability affects all Unix/Linux systems, including macOS, due to its use of the Common Unix Printing System (CUPS).
- 🔍 CUPS, developed by Apple, is intended to simplify printing on Unix-based systems but has been found to have security flaws.
- 💡 The vulnerability allows remote unauthenticated attackers to replace existing printers or install new malicious ones, leading to arbitrary command execution.
- 🚧 The issue is considered less severe than Eternal Blue but still poses a significant security risk.
- 🔒 The vulnerability can be exploited via the internet if the affected port is exposed or through local network spoofing.
- 🛡️ Proper firewall configuration can mitigate the risk, but many systems may still be exposed due to misconfigurations.
- 🔎 Security researchers have discovered that hundreds of thousands of devices have the vulnerable service enabled on the public internet.
- 🛠️ The vulnerability exists in CUPS versions from 2.6 to the latest, indicating a long-standing issue.
- 📢 The developer's initial response to the vulnerability was slow and dismissive, causing frustration among security researchers.
- 🌐 The vulnerability was eventually disclosed, but not before it was leaked on breach forums, highlighting issues with the disclosure process.
Q & A
What is the CVSS 9.9 vulnerability discussed in the script?
-The script discusses a vulnerability in the Common Unix Printing System (CUPS) that affects all Unix/Linux systems, allowing remote code execution without authentication.
What does CUPS stand for and what is its purpose?
-CUPS stands for Common Unix Printing System, developed by Apple to make printing on Unix-based systems easier.
How does the vulnerability allow an attacker to execute commands?
-The vulnerability allows an attacker to inject a command line parameter into a printer addition process, which can then be triggered when a print job is started.
Is this vulnerability as severe as Eternal Blue?
-While severe, the CUPS vulnerability is considered less bad than Eternal Blue because it does not allow for system takeover with zero authentication or interaction.
How can this vulnerability be exploited on the public internet?
-An attacker can exploit this vulnerability by sending a UDP packet to trigger a get printer attributes request, or by spoofing a zeroconf mDNS advertisement.
What is the potential impact of this vulnerability on systems with the CUPS browsed enabled?
-Systems with CUPS browsed enabled can have their printers replaced or new malicious printers installed, leading to arbitrary command execution.
How can users protect themselves from this vulnerability?
-Users can protect themselves by updating CUPS, disabling the CUPS browsed feature if not needed, or blocking the necessary ports with a firewall.
What was the initial developer response to the discovery of this vulnerability?
-The initial developer response was slow and dismissive, with the vulnerability being initially downplayed and not taken seriously.
How was the vulnerability discovered and reported?
-The vulnerability was discovered through port scanning and analysis of CUPS. The researcher submitted a report to a vulnerability database, which unfortunately got leaked before disclosure.
What are the potential long-term implications of this vulnerability?
-The vulnerability could lead to a long tail of issues as it affects a broad range of systems and may not be quickly patched, especially on older or less maintained systems.
What is the significance of the vulnerability having a CVSS score of 9.9?
-A CVSS score of 9.9 indicates a critical vulnerability with a high severity level, suggesting that it can be easily exploited and has a significant impact.
Outlines
🖨️ Exploiting CVE-9.9 Vulnerability in Unix Printing Systems
In this paragraph, Eric discusses the CVSs 9.9 vulnerability affecting Unix and Linux systems, particularly those using the Common Unix Printing System (CUPS) developed by Apple. The vulnerability allows an attacker to execute arbitrary code on a vulnerable system by adding a printer without authentication. Eric explains that while this is a severe security incident, it is less dangerous than other attacks like 'Eternal Blue'. He also discusses how the vulnerability can be exploited over the internet or through local network spoofing and emphasizes the importance of updating CUPS or blocking the necessary ports with a firewall to mitigate the risk.
🔍 The Challenges of Disclosing the CUPS Vulnerability
The second paragraph delves into the difficulties faced by a security researcher in disclosing the CUPS vulnerability. It highlights the researcher's analysis that while the vulnerability is embarrassing and concerning, it is unlikely to result in severe consequences due to the nature of the exploit on various architectures. The paragraph also touches upon the challenges of getting developers to acknowledge the issue and the unfortunate leak of the vulnerability report on breach forums before it could be responsibly disclosed. The summary also points out the broader implications for open-source systems and the potential for such vulnerabilities to be exploited before they are publicly known.
🌐 The Impact and Mitigation of the CUPS Vulnerability
In the final paragraph, Eric addresses the potential impact of the CUPS vulnerability, arguing that despite it being less severe than some other exploits, it still poses a significant risk, especially given the common misconfiguration of firewalls. He mentions the long tail of such vulnerabilities due to outdated server images and the ongoing exploitation of Eternal Blue. Eric concludes by encouraging viewers to share their thoughts in the comments and provides a brief overview of the number of services exposed to the internet on Port 631, indicating the scale of potential exposure.
Mindmap
Keywords
💡CVSS
💡Linux systems
💡CUPS
💡Remote code execution
💡Vulnerability
💡Exploit
💡Firewall
💡Port 631
💡Zero-day
💡Disclosure
💡Shodan
Highlights
CVSs 9.9 vulnerability affects all Unix/Linux systems.
CUPS (Common Unix Printing System) is the target of the vulnerability.
CUPS was developed by Apple to simplify printing on Unix systems.
Linux security, especially on the desktop, is not as robust as assumed.
Vulnerability allows remote code execution without authentication.
Attackers can add malicious printers to a system without user interaction.
The vulnerability is less severe than Eternal Blue but still significant.
Firewalls can mitigate the risk if the port is not exposed.
Local network attacks can exploit the vulnerability via mDNS spoofing.
CUPS is used on almost every modern Unix system, including Mac OS.
Hundreds of thousands of devices are exposed to the public internet with this vulnerability.
Kernel information is leaked when sending requests, exposing systems to further attacks.
Updating CUPS or configuring firewalls can mitigate the vulnerability.
Memory unsafe C code is a contributing factor to the vulnerability.
The vulnerability was initially ignored by developers.
A security researcher was able to create a file as part of the exploiting process.
The vulnerability disclosure process was difficult and discouraging for the researcher.
The vulnerability was leaked on breach forums before formal disclosure.
Shodan search reveals over a million services with Port 631 exposed to the internet.
The CVSs score of 9.9 may be justified despite the vulnerability not requiring internet exposure.
The vulnerability will have a long tail due to outdated server images used by hosting providers.
Transcripts
hello buddy my name is Eric and today
we're going to be looking at the CVSs
9.9 vulnerability that affects all g/
Linux systems so well that's sort of how
it was initially spread and we'll go
through the reality of it is it
overblown and what does it actually do
so what we have here is attacking Unix
systems via cups now cups is the common
Unix printing system it's actually
developed by Apple and was intended to
make printing on Unix spaced systems
easier so we'll read the preface so this
quote is interesting from a generic
security point of view a whole Linux
system as it is nowadays is just an
endless and hopeless mess of security
holes waiting to be exploited I wouldn't
go that far but Linux security
definitely especially on the desktop is
not as good as many people assume it is
and uh this security incident is
relatively
severe so what's happened here is a
combination of vulnerabilities leads to
OTE code execution so first of all we
have this one cups browsed binds on this
IP address trusting any packet from any
source to trigger a get printer
attributes request which then goes to an
attacker controlled URL so this gets the
vulnerable system so this gets the
vulnerable system to connect
back then this does not validate or
sanitize those attributes so and and
this is how uh the
actual execution happens is you can
inject a command line parameter into
this so you can add a printer to
someone's computer without
authentication and if they ever try and
print through that printer that's how
the actual vulnerability
works so this is substantially less bad
than something like Eternal blue which
allows you to take over a system with
zero authentication or interaction if
you want to see that you can go see my
Windows XP or ser 2003 videos where
malware just installs itself it's not
that bad but it's still pretty severe so
a remote unauthenticated attacker can
silently replace existing printers or
install new ones with a malicious one
resulting in arbitrary command execution
when a print job is started now on the
public internet you just send a UDP
packet now there is a problem this
course which is much like why the
Eternal blue isn't a huge issue these
days unless you're running a server your
computer is probably not directly
exposed to the internet and if you have
a properly configured firewall this port
should not be exposed the other way this
can be triggered is overl you can spoof
a zero comp mdns advertisement and
achieve a similar code path and then you
get a very very bad uh security takech I
actually saw this one on a a few month a
month ago and I thought oh yikes yeah I
mean any uh Network worm is only a
problem if the port is exposed to the
internet or the network but yeah that's
that's not quite right now of course
this vulnerability is going to be very
broad because cops is used on
essentially every modern Unix system and
of course Mac OS is also on the list
because I mean it was Apple who
developed it although I don't know if
they Shi the browsed extension now here
as a result of Port scanning he's
discovered that hundreds of thousands of
devices do have this enabled on the
public internet and this file contains a
list of of systems that have cooled now
this works because the kernel
information is actually cooled back when
you when you send this request so wow
all the way back to 2.6 where you could
probably find a myriad of other problems
uh two going down oh wow yeah all the
way to the very latest version across a
wide variety someone exposed a gentu
system you can find out some of these
actually cuz xan mod Licor these are
usually installed by Gamers so some
people are definitely exposing their
Linux PCS to the entire internet so you
can get rid of the cups browsed so this
update
cups and if you can't update it just put
that on the firewall you can also do
that I think that's a bit far I mean
it's not like Windows hasn't had uh
vulnerabilities with printing but what
is a bit concerning here was how the
developers of this initially responded
now here they discover how this was
initially discovered this is something
that's always interesting to do is see
what ports are open by default and in
terms of network vulnerabilities an open
p can be a
vulnerability now I checked and my Arch
desktop system does not have this
vulnerability because I I never
installed cups browsed and none of my
servers have it but if you installed a
desktop Dro on a server you may be at
risk and here is the code that binds it
and of course we've got the joy of
memory unsafe C where any number of
things can potentially get
in we've got some paing code that of
course the Allowed by default will just
always return
true and here is the paing so first of
all me check that of course what you can
then do is fuzz this and this is where
as several things were discovered but
this vulnerability or potential
vulnerability is not even the main
problem now here is where the main
problem comes I just thought I would
provide a somewhat happy update to this
so This security researcher has done
some analysis of this function it's
unlikely to result in any interesting
information which is very good news
still a problem still embarrassing uh
but the good news is that nothing
terrible is going to come
because on every relevant architecture
it's just going to get a null
bite you could maybe get a timing attack
but this is unlikely to result in
anything drastic especially because it
is going to be
patched still important to check because
that wasn't immediately knowable Now by
using uh and slightly modifying this IP
server package they were able to quickly
enough design an exploit and an
execution path is found with
this fumatic rip filter which apparently
has been exploited many times before and
this security problem was apparently
just kind of ignored and this is fmatic
Rip so okay so it does some sort of
print translation and because of how
that works it seems to just kind of rely
on what are essentially arbitrary
scripts that's a bit scary and there's
even a video of this exploiting process
successfully created a
file so that was kind of according to
this person that was the easy part now
what wasn't so easy was going through
and trying to report this
vulnerability first of all the
difficulty was getting the developers to
accept that there was a vulnerability so
they submitted a Vince report and then
the worst thing that happened
was it got
leaked from Vince uh it got leaked over
onto breach
forms not even for money someone just
copy and pasted it I would almost wonder
given this is a new user on breach
forums if this was uh someone who was
just upset about the whole so that's the
conclusion of this article so how bad is
this vulnerability well it's definitely
less bad than Eternal blue or any of the
windows netw worm vulnerabilities but
it's still very bad and of course the
worst thing was the amount of pain that
this person went through trying to
disclose it they've said they're not
going to do any more uh of this with
because it was such a pain which is a
terrible terrible situation and it is
the trouble is with an open Soul system
or or more of a modular system rather
than an open Soul system is sometimes
there are pieces of the system that are
not wellmaintained or documented where
these things can come through and of
course the most alarming thing is that
this Vince system had a leak so this was
actually able to escape
and be sold on breach forms before it
was disclosed or worse yet uh it could
have actually made its way into being
exploited before it was disclosed cuz
the exploit here is very simple now
heading on over to Shodan we can
actually get a list of all of the
different services that have an open uh
Port 631 exposed to the internet and we
get over a Million results with 700,000
in the United States followed by China
followed by Israel followed by Korea and
all sorts of different ISP with Google
having a staggering number most of these
are in fact CS but then there are
other things some people seem to be
running HTTP servers on that
poort and most of the operating systems
are unidentified I'm going to assume
that the windows uh reports are going to
be mostly false positives now for
reference another insecure Port that has
caused trouble uh SMB uh well that's got
1.7 million and hopefully all of these
are patched against Eternal
blue maybe not all of them I mean we
just got an lce notice here but
hopefully a lot of them are so is it
worthy of a 9.9 well I think the only
real I I don't buy into the argument
that it would have to be exposed to the
internet or that a firewall could stop
it because that is a common
misconfiguration just like with eternal
blue which is still being exploited by
the way I saw a Windows Server host
selling a server that came with an image
that was vulnerable to Eternal blue out
of the box and would probably get taken
over by a an internal blow exploit
before you would even be able to log
into it so that is absolutely still a
problem but the main benefit for servers
and basically anything exposed to the
internet these days is a server because
it costs too much like IP addresses are
now valuable so you're not going to have
your home computer exposed to the
Internet so given that the fact that A
online servers may not have this
installed and B they're probably not
printing anything means that known
exploit is probably not a going to cause
a massive amount of disruption but the
good thing is hopefully this entire
category of vulnerabilities will be
fixed before it becomes widely used but
as we often see with hosting providers
using out-of-date uh server
images this vulnerability is going to
have a long tail so that's going to be
all for me for now let me know what you
think in the comments
bye
Voir Plus de Vidéos Connexes
The "9.9" Linux Vulnerability Revealed: It's The Printers
Evolution of Unix and Linux Operating Systems
Jak pół sekundy uratowało świat przed zagładą?
How to Ship on Ebay Without Printing a Label | Shipping without a Printer from Your Phone QR Code
Dennis Ritchie's video interview June 2011 by DennisRitchie.in
苹果 macOS、iOS 爆高危漏洞,只需一个短信,电脑和手机都会被黑!请立即自查!! 2024 | 零度解说
5.0 / 5 (0 votes)