Critical Unauthenticated RCE Flaw Impacts All GNU/Linux Systems (cybersecuritynews.com) 137
"Looks like there's a storm brewing, and it's not good news," writes ancient Slashdot reader jd. "Whether or not the bugs are classically security defects or not, this is extremely bad PR for the Linux and Open Source community. It's not clear from the article whether this affects other Open Source projects, such as FreeBSD." From a report: A critical unauthenticated Remote Code Execution (RCE) vulnerability has been discovered, impacting all GNU/Linux systems. As per agreements with developers, the flaw, which has existed for over a decade, will be fully disclosed in less than two weeks. Despite the severity of the issue, no Common Vulnerabilities and Exposures (CVE) identifiers have been assigned yet, although experts suggest there should be at least three to six. Leading Linux distributors such as Canonical and RedHat have confirmed the flaw's severity, rating it 9.9 out of 10. This indicates the potential for catastrophic damage if exploited. However, despite this acknowledgment, no working fix is still available. Developers remain embroiled in debates over whether some aspects of the vulnerability impact security.
An RCE affecting ALL Linux systems? (Score:5, Interesting)
So this would have to be in the network stack? And not even in the NICs driver, but in the core kernel one? And that seems rather strange after so many years.
Re:An RCE affecting ALL Linux systems? (Score:4, Funny)
Re: (Score:3)
There's a rumour that it's in CUPS.
That one I threw out years ago. PoS.
Re: (Score:2)
It's a rumour because it's not confirmed to be true. As for disclosure, disclosure is potentially dangerous when the only workaround is to completely disable something. You can't simply expect everyone will stop using printers until it's fixed. And if it is disclosed then everyone nefarious actor is going to go poke holes in the known vulnerable target.
Re: (Score:2)
We need this information. I will rest a LOT easier if this turns out to be in CUPS, because then it means NOT "all GNU/Linux Systems are Impacted"; the headline will also have been false then. I sure have a heck of a lot of Linux systems, and CUPS is not installed on any of them.
Also, those who have CUPS installed would be able to use the knowledge to take preventative action before the vulnerability details are published and immediately start getting exploited
On the other hand.. If they're coming o
Re: (Score:2)
Somebody else posted (credibly IMO) that it is something that a firewall that blocks incoming connections will prevents. Hence it will very likely be a commonly installed application. From the "developer discussions" I take that it is not OpenSSH, because for an exploitable OpenSSH bug, there would not be any discussion as to whether it has security implications. But CUPS seems to generally be installed as listening-to-world, which is simply insane.
The title is clearly hyperbole and looks like it results fr
Re:An RCE affecting ALL Linux systems? (Score:4, Insightful)
There's a rumour that it's in CUPS.
If so, that probably also means it also affects every version of macOS for 2.5 decades.
Re: (Score:2)
And the BSDs as well. CUPS is pretty much the *nix printing system these days.
Re: (Score:2, Informative)
2 weeks ago there is this commit adding additional filtering to reject invalid IPP attributes from the LAN to cups.
https://github.com/OpenPrinting/cups/commit/96b3bdf010e78880f5764e5032720379aa1116df
IPP attributes are meta / URIs broadcast from the LAN that may be malformed - this the above commit to filter for attributes better.
work around is:
systemctl stop cups-browsed
systemctl disable cups-browsed
Re: (Score:2)
[xxxxxxxx ~]$ systemctl status cups-browsed
cups-browsed.service - Make remote CUPS printers available locally
Loaded: loaded (/usr/lib/systemd/system/cups-browsed.service; disabled; preset: disabled)
Is this another one of those over sensationalized tweets or something, I mean it's not even in the kernel... cups is not just on Linux, and it isn't Linux.
Re: (Score:2)
You know, one thing I do after every installation is that I check open ports. If I do not need what is running, it gets killed, no exceptions. I do not need CUPS.
Re: An RCE affecting ALL Linux systems? (Score:2)
Re: (Score:2)
Oh you mean that moronic thing that automatically adds second non-working instances of my printer?
Yes it's already disabled.
Re: (Score:2)
CUPS is one of the worst crappy pieces of software I ever tried to use. Dropped it more than a decade ago and never missed it since.
Re:An RCE affecting ALL Linux systems? (Score:5, Informative)
Ah yes, how quickly we forget what printing was like pre-CUPS. You only had /dev/lp0 back then, better hope your parallel printer supported postscript. If you had a fancy USB printer you were shit out of luck, even as the usb stack made strides no one wanted to tackle the monster that was proprietary usb printer drivers. If you had a few hundred bucks to spare you could buy an HP enterprise printer or something with JetDirect compatibility. Maybe you tried to run Solaris 7 faked out by their "wE cAn PrInT tO aNy PrInTeR" lies.
Enter CUPS. A magic project that got every single printer to work under a single project. Literally not a single other project exists that can do what CUPS does. Yet you have the gall, the audacity to call it a worst crappy piece of software. I just have no words
Re: (Score:2)
I just have no words
And no insight. Have you ever tried to get CUPS to work right when your specific printer is not preconfigured? Have you ever looked at the insane thing it does on the network? Well, we will see whether the currently announced problem is CUPS. Would not surprise me one bit.
Re: An RCE affecting ALL Linux systems? (Score:2)
And the network is usually kinda protected by the firewall (of which there are several, so it can't be that).
You mean like iptables? You know that's basically just an interface to alter how the kernel makes routing decisions, right? There's always a possibility that the vulnerability is in the network stack itself. Say, hypothetically, if there is a bug in the way IP headers are parsed. That code is shared with the BSDs AFAIK, which has been mentioned.
Though I don't know why they say GNU/Linux unless they mean to imply that some GNU code is affected, and the BSDs don't make any use of that. Either that or whoever
Re: (Score:2)
I remember one around ~1997-1998 where an ill crafted packet would cause any linux to reboot, maybe it could have been exploited for RCE but I didn't see nor hear any evidence of that back then.
Re: (Score:2)
That was the Ping of Death [archive.org] and affected Linux kernel <= 2.0.23.
Re: An RCE affecting ALL Linux systems? (Score:2)
It doesn't mean that there's no mitigation available. But the vulnerability will still be there, even if it's behind a firewall.
It's like saying a report of a technique that can be used to open all car doors can't be true because some cars are in locked garages.
Re: (Score:3)
Oh, please. (Score:5, Interesting)
The thread that the title comes from is from a Twitter user that later stated about the issue: "And YES: I LOVE hyping the sh1t out of this stuff because apparently sensationalism is the only language that forces these people to fix. "
As such, every single thing about the topic should be taken with a grain of salt. Starting with systems affected (it's not all GNU/Linux) and also CVSS score (I score it as a 6.3 instead of 9.9). Use your imagination to decide how much of what was posted is based on fact as opposed to fantasy.
For starters, only systems without an enabled firewall are exploitable. (Note: Ubuntu doesn't enable a firewall by default for reasons I cannot fathom).
Secondly, the attack requires the victim to take a specific implausible action for the attack to work.
There's really nothing to see here. Spending your time thinking about any other vulnerability or attack vector would be a much better use of your time.
Re:Oh, please. (Score:4, Informative)
By default Ubuntu has no services that listen on anything other than localhost. Not even ssh. A firewall would be pointless.
Re: Oh, please. (Score:2)
This is provably incorrect.
Re: (Score:2)
Please do. Tell me how a Linux install with nothing listening, not even ssh will be hacked remotely.
Re: Oh, please. (Score:2)
Re: (Score:2)
Re: (Score:2)
Oh shit, I hope we can all get new tinfoil hats!
You're gonna need genuine copper foil for this one!
Re: (Score:2)
Bullshit. Cut back on the drugs.
Re: Oh, please. (Score:3)
"State actor level" sounds a bit like "level 220 chief arch-wizard". But computer security is not magic. Even state actors need real vulnerabilities to do their thing. They may find new vulnerabilities faster than everyone else, but success is not guaranteed. Even for them.
Re: (Score:2)
I am not sure I agree. Sate actors have a lot of opportunity and freedom to go much further than the vast majority of criminal operators could or likely would. A state actor for example can create a fake identity for someone with legitimate documents and put an agent in there to work an IT job for 8 months before even attempting to deploy their implant.
For any organization large enough that you don't personally know everyone. I would assume a sufficiently motivated state actor can get on your network if t
Re: (Score:2)
Do not force me to unleash the bytes of doom and black magick upon you, disbeliever!
Take "Transvaaltrampeltiertränentrauungstragödie" as a warning.
Re: (Score:2)
kernel network/firewall code itself probably
Re: (Score:2)
If it has a network interface, it is listening, at least at layer 2 (dhcp, arp, ndp, slaac, etc.).
Re: Oh, please. (Score:2)
At least some of these things can be turned off
Not to mention that they won't pass routers.
Re: (Score:2)
If it has a network interface, it is listening, at least at layer 2 (dhcp, arp, ndp, slaac, etc.).
That's a great list of things not normally blocked by a firewall. What's your point.
Re: (Score:2)
My response, "If it has a network interface, it is listening, at least at layer 2 (dhcp, arp, ndp, slaac, etc.)." was in response to this statement:
"Please do. Tell me how a Linux install with nothing listening, not even ssh will be hacked remotely."
We don't know what this attack is yet. With blanket statements from the claimant that is it affecting all Linux versions, it could be a layer 2 issue. No real sense going over "what if's" until it is disclosed. But layer 2 exploits do exist and prior to being pa
Re: Oh, please. (Score:2)
Even Windows XP, let alone Linux, can safely be put on the Internet without any firewall after stopping all its network listeners. And ensuring that the end user doesn't run any vulnerable clients, of course, but a firewall would hardly help this.
Of course, if you have enabled the spychip crap in your Intel or AMD CPU (IME/PSP) then you indeed DO need a firewall, for these b*ggers can control your computer EVEN when it seems turned off, and this is not a fantasy.
Re: (Score:2)
Re: (Score:2)
Red Hat is similar, but it ships with firewalld on. One of the reasons I enable firewalling is that it provides a solid front-line defense. Some user ran something that opened a port? Still inaccessible due to the firewall in place. Or you want to allow SSH, but only from your internal subnet. At a previous job, I had a NAS running for a while on an external IP address, and after that time, the NAS wound up forensically examined to see if it was compromised, as a long term test. It was never breached,
Re: (Score:3)
So you have _actual_ information? (Not asking you to prematurely disclose)
One small question though: By "firewall enabled" do you mean it runs (module loaded or code compiled in) or that it has actual rules in there?
But what you describe is about what I expected from the grande, somewhat nonsensical announcement.
I especially like "the attack requires the victim to take a specific implausible action for the attack to work". There are tons of attacks that becomes possible when the victim is willing to do that
Re: Oh, please. (Score:4, Informative)
Yes, I've read the vulnerability report and have reproduced it. You'll get the details when the agreed upon disclose date arrives.
As for the firewall, just blocking incoming connections it sufficient for protection. On Ubuntu, this should do it: sudo ufw enable
Re: Oh, please. (Score:2)
Can it be mitigated by stopping something? And are really ALL distros affected?
Re: (Score:2)
P.S. I'm not asking about what specific something to stop, or what specific distro might not be affected. Just a very general question that won't compromise non-disclosure.
Re: (Score:2)
The claim was "all Linux systems" and that is clearly nonsense.
Re: (Score:2)
Thanks, that is enough info for now for me.
Re: (Score:2)
There are a 100-200M Linux machines in the world. Even if a particular specific action is implausible, tens of thousands of them are going to be vulnerable.
Software engineering at scale means realizing that with a big enough user base, every one of the corner cases that one could normally dismiss is going to actually be realized. Which is not to say that you have to make all of the work, but at least they s
Re: (Score:2)
Possibly. But that does in no way justify an alert of this type. "The story of the boy who cried wolf" is instructive regarding such asshole acts.
Systemd component? (Score:5, Informative)
only got patronized because the devs just can't accept that their code is crap
Systemd component? It sounds like Systemd component.
Re: (Score:2)
That would be nice. Because in that case my Linux servers are not in the "all" systems that are affected.
Re: Systemd component? (Score:2)
Thankfully, systemd-vulnd isn't in every distro, and isn't even on every system using a distro carrying that cr@p. My Debian (not devuan) systems are free of it, halleluiah.
Re: (Score:3)
Breaking news: systemd listens for - and grants unfettered root-level terminal access without authentication to - any remote process attempting to connect to poettering-is-an-awesome-hacker.socket.
Ironically, poettering-is-an-awful-hack.socket also works.
Re: (Score:3)
Your irony is unwarranted. Systemd carries its own large attack surface, much of it unneeded, and the systemd devs have history in both sloppy programming AND behaving arrogantly when confronted about security or other problems with their code.
Re: (Score:3)
much of it unneeded
Unneeded by you. Don't gatekeep what features other people may want to use.
Re: (Score:2)
init should be small and simple. It should do only one task and do it well. Systemd does not comply with this. There's a huge attack surface in there. Put that on top of the mentality of the systemd developers, and you've got a mix for disaster. Perhaps it has come now.
Re: (Score:3)
Indeed. Systemd is not an init system. It's a daemon management system (literally in the name). Init can't manage shit. Great when you're running a fixed server on a static network or a computer from the 90s, but no so much fit for purpose anymore.
You may think IT peaked before the millennium bug, but many of us have other use cases and init isn't it (as evident by the many MANY projects that either exist to expand its functionality or attempt to replace it outright).
Do one thing and one thing well was one
Re: (Score:2)
Yep. I have thrown systemd out everywhere. Simpler system and zero issues.
Re: (Score:2)
Re: (Score:3)
All joking aside, I think I would lay money on it being systemd-related.
That old "huge and difficult-to-understand binary executable running as root trying to do everything, doing it rather poorly" has such a large attack surface area that it would be my first choice.
Sounds like FUD (Score:5, Insightful)
Grand claims, no details and "Developers remain embroiled in debates over whether some aspects of the vulnerability impact security". That does sound like somebody wants their 15 minutes of fame, but not like a real problem.
Re: (Score:2)
Which is why I'm far more concerned about the publicity than the security.
If corporations believe there's five or six flaws, each warranting a 9.9, it makes very little difference whether they exist.
Re: (Score:3)
Thankfully, MOST corporations aren't run by idiots.
Re: (Score:2)
Do you have ANY evidence for this statement. IME at least a small majority are, and quite probably a large majority.
Re: (Score:2)
You're overlooking the morons, buffoons, imbeciles, and fools.
Re: (Score:3)
Well, if we do a typology of inadequate CEOs, then yes. We also have assholes, sadists, fanatics, authoritarians, and a few others.
Re: (Score:2)
Thankfully, MOST corporations aren't run by idiots.
That does not seem to match observable reality. The converse seems to be the case.
Did Ken Thompson strike again? (Score:4, Interesting)
In Reflections on Trusting Trust [slashdot.org], Ken Thompson describes a hack which worked by modifying the C compiler to do two things
1) Insert itself into the C compiler whenever the C compiler is compiled
2) Modify "login" to accept a password of his own choosing (presumably for any account)
Thus, he need merely substitute his C-compiler-with-exploit for the real one once, and the exploit self-propagates (as long as the C compiler and login don't change enough to not be recognized by the exploit code anyway).
Somthing which hits all Linux systems seems to me has to be of this nature or something similarly devious.
Re: (Score:2)
Very, very unlikely. Much more likely "all linux systems" is simply a lie by somebody that apparently deeply desires that nobody will listen to them ever again.
Re: (Score:2)
Well, this seems good in theory. I remember I once theorized about creating vulnerabilities by modifying CPU's microcode. Thankfully, this has about the same chance to really happen (nil).
Giant, alarmist claims smell like BS (Score:2)
Re: (Score:2)
The bugs don't actually have to exist. If the media and the corporations believe developers are lazy and that there's five or six critical 9.9-warranting defects, that's going to lacerate Linux. Hence my concern more for the reputational damage.
The truth doesn't matter, CIOs and CTOs aren't interested in truth, they're far more interested in reputation.
However, if they do exist, the emphasis on the GNU part could indicate a problem in the tool chain for building the kernel, although I'd say OpenSSL and Open
Re: (Score:2)
Being belligerent is very different from being arrogant and not admitting flaws in your code.
Linux (kernel) developers very rarely suffer from the latter. And when they do, Linus quickly disciplines them, belligerently.
Stinks like FUD (Score:4, Insightful)
The Twitter Post referenced from threadreader is gone - at least for my web-view.
And here are some directions
"Devs are still arguing about whether or not some of the issues have a security impact."
This is bullshit if you can exploit it unauthenticated from the outside and disrupt the kernel in any way, they all would be d'accord - for the basic "Yes there is something"
"Still no CVE assigned (there should be at least 3, possibly 4, ideally 6)."
vs.
"Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago."
vs.
"Full disclosure happening in less than 2 weeks (as agreed with devs)."
Why should there be no CVE when we look at the past even servere problems got them early, and why should it be "disclosed 3 weeks ago"
where? On Shitter? Why is the Shitter Post gone then?
"9.9 check screenshot."
of an entry showing nothing but a 9.9 score I could produce that too.
Facts or shut up "evil socket puppy" !
Re: (Score:2)
Indeed. Sounds to me somebody with a really big ego went off the rails. This person probably does not understand that all this will do is make a lot of people quite angry at them and that they will probably not be listened to anymore in the future.
This sentence... (Score:2)
However, despite this acknowledgment, no working fix is still available.
...killed my cocker spaniel. I demand retribution.
As to the RCE... will wait and see... have no mission critical *nix anywhere near prod but this has implications for pretty much every cloud vendor out there...
TIFTFY (Score:2)
Re: (Score:2)
Re: "... no working fix is still available." - That's not what "still" means. That would imply the fix IS available. I think they meant to say, "...no working fix is available yet." as in, may be at some point in the future but it's getting late.
That odd English usage, and the melodramatic hype, makes it sound like the writer could be from a certain southern European country that my parents were from, and everyone loves to visit in the summer.
Re: (Score:2)
They might mean "the vulnerability is understood but still no fix is available."
It's not the best usage.
systemd? (Score:2)
Ok. So it affects ALL Linux systems.
When I read between the lines of the word "all", 99% of the time it means Linux distributions running systemd, with the rest being ignored for some weird reason.
Someone (Score:2)
Re: (Score:2)
Re: (Score:2)
Sounds like he's just getting annoyed at the pace at which the code maintainers are fixing the vulnerability
He's keeping the details from the public so it can be patched first
Re: (Score:2)
He's keeping the details from the public so it can be patched first
I just want to know which software project the vulnerability is in, so I can assess possible impact.
GNU/Linux is not the name of a program or software project though.
Re: Don't feed the... (Score:2)
Despite you being an AC, you might just be right. The article says that [kernel] developers are reluctant to admit flaws in their code and are fighting the researcher. I personally find this quite hard to believe, provided that the issue is real.
To me, this looks like a red flag. Journalism failure, fake news, FUD in the best Microsoft traditions. I guess we'll know for sure in a few weeks.
Perhaps there is some real vulnerability, but it's neither in Linux itself, nor does it affect ALL distros, nor is it
Re: (Score:2)
Apparently the "security researcher" that reported it also inflated their claims massively to get attention. Guess they do not want anybody to ever listen to them again.
Re: Done (Score:2)
Re: (Score:2)
or a lobotomy
Re:Done (Score:5, Funny)
If I put a picture of a white father, his pretty young wife and their two blond kids on this site it would get modded -1 flamebait.
That would be mainly because the only way to do that on this site would be with ASCII art. And admit it, you probably couldn't resist the compulsion to add a few of those giant ASCII swastikas to the post as well.
Re: (Score:2)
You had to go and mention those. Its like Beetlejuice. Once you mention their name they wont go away.
Re: (Score:2)
You just outdid yourself, my friend.
Re: (Score:2)
If I put a picture of a white father, his pretty young wife and their two blond kids on this site it would get modded -1 flamebait.
Yes, because intent adds significant context to communication. Nearly all of your posts are nothing other than flamebait trolling rubbish so we all know that will be the reason you would post a picture like that.
This site is an older and shittier version of Reddit, if that were even possible.
*Points to the door*. If you don't like it here, why stay?
Re: (Score:2)
You're ranting like an emotional leftist.
Go eat some meat and lift.
Change your oil or build a cabinet.
Spin some plates and have some fun.
Re: Done (Score:2)
The design of Slashdot should have made provision for lotion-covered humpity fatass.
Dude sure brings up fat men with lotion and leather an awful lot, like every few posts and makes vague claims about repression of his "white man"-ness. Uh huh.
Look, I know what this is. It's ok to be gay man. I don't know what you have going on in your personal life where being in the closet might be a safer more stable thing to do, I'm not judging, but you can be yourself here man. That feeling of repressing yourself has to be heavy, just let it go
Re: (Score:2)
My bet is its cups-browsed
cups-browsed fits the description as old, listens on LAN, and is enabled on modern distros.
cups-browsed is bound to 0.0.0.0:631 UDP (all interfaces) by default
It is? That is simply insane on an advanced level. I have not installed CUPS in ages. This may have been one of the reasons for that, but I do not remember. I have thought of CUPS as malware/crapware for at least 10 years.
Re: (Score:2)
Re: (Score:2)
For a single-user set-up that needs no print-queuing and with a networked PostScript printer? /usr/local/bin/lpr for the last 12 years:
I have been using the following script as
#!/bin/bash
cat $1 | nc -w 1 printer 9100
Obviously, the printer is behind a firewall. Depending on the printer, this does print PDF directly as well.
Re: (Score:2)
cat "$1" will save you some headaches
Re: (Score:2)
If you use filenames with spaces (I do not), yes.
Re: (Score:2)
you'd be even happier with apsfilter.
I totally agree as long as the situation is as simple as you describe, and its a decent postscript/pcl printer. Its the better way.
Re: (Score:2)
I used apsfilter before I had a PostScript printer. But PostScript capable printers really do not cost much more for a B/W laser these days (I have made good experiences with OKI and Brother) and hence just getting the file to the printer is enough for me. And it nicely satisfies KISS.