Linux Vulnerability Announced, Details Kept Secret [Solved]

[mxethernut]

Thank you MX/Debian for getting updates out quickly!

[richb]

Just got the updates.
https://linuxsecurity.com/advisories/de ... xob7hyzfsf

[Eadwine Rose]

I SO hit on those like a boss.

[mxethernut]

Details Kept Secret

Hm details were disclosed, but above my knowledge!

https://youtu.be/lXljErWpcRQ?t=68

[uncle mark]

So all the Linux installs around the world aren't going to get pwnd any time soon?

[karlchen]

Hi, folks.

Although the thread title told otherwise, the details about the CUPS vulnerabilities have been publically available since September 26th e.g. in several written articles on several webpages.
Anway.
The most important detail is: the Debian CUPS patches are being distributed by the MX Updater by now.

Received them on my MX 21.3 only a few minutes ago.

Code: Select all

cups (2.3.3op2-3+deb11u9) bullseye-security; urgency=medium

  * CVE-2024-47175
    Fix CVE and upstream also added some extra hardening to patch
    - validate URIs, attribute names, and capabilities
      in cups/ppd-cache.c, scheduler/ipp.c
    - sanitize make and model in cups/ppd-cache.c
    - PPDize preset and template names in cups/ppd-cache.c
    - quote PPD localized strings in  cups/ppd-cache.c
    - fix warnings in cups/ppd-cache.c

 -- Thorsten Alteholz <debian@alteholz.de>  Thu, 26 Sep 2024 23:45:05 +0200

Code: Select all

cups-filters (1.28.7-1+deb11u3) bullseye-security; urgency=high

  * CVE-2024-47076 (Closes: #1082827)
    cfGetPrinterAttributes5(): Validate response attributes before return
  * CVE-2024-47176 (Closes: #1082820)
    Default BrowseRemoteProtocols should not include "cups" protocol

 -- Thorsten Alteholz <debian@alteholz.de>  Thu, 26 Sep 2024 23:45:05 +0200

Karl

[entropyfoe]

carlchen wrote

The most important detail is: the Debian CUPS patches are being distributed by the MX Updater by now.
Received them on my MX 21.3 only a few minutes ago.

Thanks to the dev and packaging team, and up stream at Debian.

Thanks for the swift action.

[GuiGuy]

[Stevo]

carlchen wrote

The most important detail is: the Debian CUPS patches are being distributed by the MX Updater by now.
Received them on my MX 21.3 only a few minutes ago.

Thanks to the dev and packaging team, and up stream at Debian.

Thanks for the swift action.

All credit goes to Debian for this response, we devs just stand by and cheer them on for these fixes.

[LinuxSpring1]

Another short read on the issue
https://www.phoronix.com/news/Linux-CVSS-9.9-Rating

The temporary fix for this as mentioned in the link is to

This remote code execution issue can be exploited across the public Internet via a UDP packet to port 631 without needing any authentication, assuming the CUPS port is open through your router/firewall. LAN attacks are also possible via spoofing zeroconf / mDNS / DNS-SD advertisements.

Besides CUPS being used on Linux distributions, it also affects some BSDs, Oracle Solaris, Google Chrome OS, and others.

As of writing there is no Linux fix available for this high profile security issue. In the meantime it's recommended to disable and remove the "cups-browsed" service, updating CUPS, or at least blocking all traffic to UDP port 631.

So till a fix is made available does the UDP port 631 need to be blocked? And/Or should the cups-browsed service be disabled? It is enabled by default on KDE MX Linux 23.3 having Debian 12.7.

The severe vulnerability 9.9/10 doesn’t impact basic printing and scanning.

The easiest solution is to uninstall the cups-browsed package. I always do this on my personal snapshots. It doesn’t affect printing or scanning. If you don’t want to uninstall the cups-browsed package you can disable the service while you wait for patches to be delivered.

Red Hat has a good write-up:
https://www.redhat.com/en/blog/red-hat- ... rabilities

Actually @dreamer that might not be correct. From the article that is linked

Mitigation of these vulnerabilities is as simple as running two commands, especially in any environment where printing is not needed.

So if the service cups-browsed is disabled or the package is uninstalled then will not the printing and scanning be impacted? Because the RedHat article refers to the case where printing is not needed. Many of us are using Desktops and there printing and scanning is required.