Akamai Warns CUPS-Browsed Vulnerability Also Brings New Threat of DDoS Attacks (akamai.com) 63
Last week the Register warned "If you're running the Unix printing system CUPS, with cups-browsed present and enabled, you may be vulnerable to attacks that could lead to your computer being commandeered over the network or internet." (Although the CEO of cybersecurity platform watchTowr told them "the vulnerability impacts less than a single-digit percentage of all deployed internet-facing Linux systems.")
But Tuesday generic (Slashdot reader #14,144) shared this new warning from Akamai: Akamai researchers have confirmed a new attack vector using CUPS that could be leveraged to stage distributed denial-of-service (DDoS) attacks. Research shows that, to begin the attack, the attacking system only needs to send a single packet to a vulnerable and exposed CUPS service with internet connectivity.
The Akamai Security Intelligence and Response Team (SIRT) found that more than 198,000 devices are vulnerable to this attack vector and are accessible on the public internet; roughly 34% of those could be used for DDoS abuse (58,000+). Of the 58,000+ vulnerable devices, hundreds exhibited an "infinite loop" of requests.
The limited resources required to initiate a successful attack highlights the danger: It would take an attacker mere seconds to co-opt every vulnerable CUPS service currently exposed on the internet and cost the attacker less than a single US cent on modern hyperscaler platforms.
But Tuesday generic (Slashdot reader #14,144) shared this new warning from Akamai: Akamai researchers have confirmed a new attack vector using CUPS that could be leveraged to stage distributed denial-of-service (DDoS) attacks. Research shows that, to begin the attack, the attacking system only needs to send a single packet to a vulnerable and exposed CUPS service with internet connectivity.
The Akamai Security Intelligence and Response Team (SIRT) found that more than 198,000 devices are vulnerable to this attack vector and are accessible on the public internet; roughly 34% of those could be used for DDoS abuse (58,000+). Of the 58,000+ vulnerable devices, hundreds exhibited an "infinite loop" of requests.
The limited resources required to initiate a successful attack highlights the danger: It would take an attacker mere seconds to co-opt every vulnerable CUPS service currently exposed on the internet and cost the attacker less than a single US cent on modern hyperscaler platforms.
Re: (Score:2)
Re: "Many eyes" fails again (Score:2)
apt-get update never installs anything, apt-get upgrade never installs anything new, apt-get dist-upgrade never installs anything silently, and apt-get purge/remove never installs anything as well.
Sure, you may lose your newest and shiniest desktop environment by removing CUPS completely, but this doesn't make CUPS un-uninstallable, plus you don't need to remove the entire CUPS. The worst parts, like cups-browsed are easy to remove.
Re: (Score:3)
apt-get purge/remove never installs anything as well.
That's what I thought too until I saw this:
Re: "Many eyes" fails again (Score:2)
Add the names of packages it wants to install to the list of packages to be purged. Alternatively, use dpkg --purge .
Was that the "all Linux systems vulnerable" crap? (Score:2)
That person really needs to be ignored....
Re: Was that the "all Linux systems vulnerable" cr (Score:4, Insightful)
He is an attention seeker and an unethical person, yet the issue with cups-browsed is real and not benign at all.
IMHO, the whole cups-browsed project needs to be discontinued. Not only is the quality of its code poor, but it's a prime example of the "insecure by design" paradigm. The protocol according to which cups-browsed works was obviously not designed with security in mind, and it's DDOS-friendly as a result.
Either discontinue it, or subject it to a total redesign (of the protocol) and re-implementation to remove at least the most glaring buffer overflows and memory allocation bugs. Maybe rewrite it in Rust, if it would help, although I doubt it.
Re: (Score:2)
IMHO, the whole cups-browsed project needs to be discontinued.
I had a look. (I stopped using CUPS 15 years ago or so.) Looks like convenience was the primary goal and security was, at best, an afterthought. That is not acceptable today, especially on Linux. On Windows, you need to lock everything down with firewalls anyways, because that OS will never grow up.
Re: Was that the "all Linux systems vulnerable" cr (Score:5, Informative)
prime example of the "insecure by design" paradigm.
Let's call it what it is: The I don't care how it works, just do it automagicly paradigm.
This crap and others like it (mdns, UPNP, etc.) wouldn't exist if people could be bothered to set their shit up on their own. Hell, it's not even hard. These days it's just accessing some web admin portal from a browser. But nope, we have to have all of this shit done automagicly so the idiots can continue basking in their ignorance, and attacks like these are the result. Which IT then gets yelled at for "allowing" to happen.
What needs to happen is all of these protocols need to be prohibited by law on national security grounds. If you can't be bothered to set it up, then sucks to be you. Either learn how to do it yourself, or pay someone else to do it for you. But you don't get to demand that everyone else pay the price for your ignorance.
Maybe rewrite it in Rust, if it would help, although I doubt it.
Absolutely not. This isn't a memory problem, it's a "I don't give a shit" problem.
Flawed designs are still flawed no matter what language they are described in. Rust cannot do anything to fix a protocol that by design runs arbitrary unauthenticated commands given to it as root any more than C can. The issue wasn't a use after free (Rust's favorite one trick), it was a complete lack of checking for authorization and improper validation of inputs to begin with (bad design).
Rewriting this crap in Rust thinking it would somehow fix the issue, is exactly the kind of false assurances Rust's detractors warn about. Rust's promoters make too many promises about Rust's security. That in turn makes people using it far more likely to be lazy (read: have a "I don't give a shit" mentality) when writing their code. It's dangerous, and implementing flawed designs like this thinking you are protected by using a "safe programing language" is one of the biggest reasons why. (Yes, I'm aware cups-browsed wasn't written in Rust. Read the comments above and quit splitting hairs, defenders.)
Re: (Score:2)
Well, there are two versions of these:
1) Make it automagic if that does not compromise security and is generally reliable and can be switched off and comes with a clear warning _or_ is default off
2) Make it automagic, no matter what
The first one is perfectly fine, the second one is massively incompetent and indicates somebody with skills far too mall for the job at hand.
As to "rewrite it in Rust", completely agree. As far as I can see that would not even necessarily have helped. The primary problem is that
Re: (Score:2)
He certainly didn't do himself any favors when he claimed it affected nearly all Linux installations. Which it certainly does not. No server is going to be running cups at all (unless it is a print server). Any linux machine sitting on the open internet is going to have its open services list carefully audited and appropriate firewall measures set up.
But the vulnerability is real and it is serious. The real danger is within the LAN where a compromised device could start using this mechanism to spread ma
Not CUPS! (Score:5, Informative)
Sigh This isn’t CUPS, this is an optional add-on called cups-browsed that you don’t need anymore
Re:Not CUPS! (Score:5, Interesting)
Re: (Score:1)
Re: (Score:3)
It's needed for AirPrint, AFAIK.
No, it has two uses: to support old CUPS servers (1.3 and earlier) for newer CUPS clients, and to auto-add AirPrint/IPP Everywhere/Mopria printers for applications that refuse to use the CUPS APIs that were introduced in CUPS 1.1... As long as you add the printers you want to use, you won't need it running.
Re: (Score:3)
I just checked my Fedora 40 workstation and while it is running cups and I do have half a dozen networked printers that I've added, I do not see cups-browsd running. So at least Fedora does not appear to be running the vulnerable service by default. Hopefully other distros will also drop browsed and provide an update to their users that disables browsed which doesn't seem to be necessary.
Re: Not CUPS! (Score:5, Insightful)
Because Plug&Play, that's why. Printers that connect to your system automaGically. The problem is, if printers can do that, so can hackers.
A cynicist would say that the main cause of the problem is in Un*x systems wanting to be like Windows.
Re: Not CUPS! (Score:4, Insightful)
Because Plug&Play, that's why. Printers that connect to your system automaGically. The problem is, if printers can do that, so can hackers.
Such a surprise. Well, to the clueless writing software it may be.
A cynicist would say that the main cause of the problem is in Un*x systems wanting to be like Windows.
That is a real problem and getting worse: People coming to Linux from Windows and then doing the same stupid stuff they did there on Linux. These people do not understand that the mind-set is fundamentally different and that the mind-set is what makes Linux better. This has brought us crap like systemd and idiot distro maintainers that patch crap into OpenSSH that is _not_ needed, all for convenience. (Remember the recent xz vulnerability?)
Either the Linux community proves resilient against these people and rejects those that cannot adjust, or in a decade or two Linux will just be as crappy and insecure as Windows.
Re: Not CUPS! (Score:3)
To be honest, this might we'll be an influence from Apple rather than Windows. The CUPS itself is an Apple thing. However, it seems that Apple itself doesn't use cups-browsed, but instead uses their own device/service discovery system, Bonjour, that is based on multicast IP, which is a can of worms on its own right. And guess what, non-Apple Un*xes cloned Bonjour, creating Avahi, which seems to be installed without a real need at least as commonly as CUPS. The "evilsocket" guy promises to publish on his w
Re: (Score:1)
Well, this time it may be broken culture served by Apple, agreed. As to Avahi, agreed. That is another crap demon I purge with fire when I see it. I mean, WTH is this thing doing on my systems? Most Linux software just behaves and does _not_ open any listening sockets unless that is exactly what you expect it to do. But the printer-people seem to have gotten fucked in the head at some point...
Re: (Score:2)
Either the Linux community proves resilient against these people and rejects those that cannot adjust, or in a decade or two Linux will just be as crappy and insecure as Windows.
Blaming vulnerabilities on 'stupid Windows users' betrays a lazy understanding of security. The problem isn’t people switching to Linux; it’s complacency in evolving the ecosystem to meet modern challenges. Linux isn’t sacred because of some mythical 'mindset.' It’s great because of its adaptability. Gatekeeping innovation will only stifle progress—relying on the past and rejecting change is what truly risks making Linux as ‘crappy’ as Windows.
Re: (Score:2)
The problem is _developers_ switching to Linux. Learn to read.
Re: (Score:3)
If it isn't needed then why is it included in default installs?
As far as I can tell, from looking at our various servers... it isn't. And on some workstation installs where it is present... it's not enabled by default.
Re: (Score:2)
If it isn't needed then why is it included in default installs?
As far as I can tell, from looking at our various servers... it isn't. And on some workstation installs where it is present... it's not enabled by default.
Oddly enough, it's running on my Linux Mint Ulyana laptop. I just killed it and was still able to print. I'll see if that capability survives a reboot.
Re:Not CUPS! (Score:5, Funny)
systemctl disable --now --global --and-with-extreme-prejudice cups-browsed
Okay, the third option flag is my own wishful thinking...
Re: (Score:2)
Yikes, systemd! Kill it with fire!
Re: (Score:1)
Is --die-you-gravy-sucking-pig-dog not available any more?
Re: (Score:3)
It's a weird issue.
You don't need CUPS browsed to print. It just enables a nice printer picker and installer interface. By default, it's not enabled, but some distributions might do it so hey, you install Linux and your printer is automagically set up and ready for you to use.
That functionality requires port 631/UDP to be open to a machine running browsed. Most firewalls and routers block this by default because who lets random UDP packets through? So it's also not generally exploitable from the Internet.
An
Re: (Score:2)
Thanks! That's hugely informative, and tells me that I don't need to worry about cups-browsed.
Re: (Score:2)
It's not on Fedora. Apparently, however, it is on Ubuntu, openSUSE, Arch, and even some debian versions. Recommend
sudo systemctl disable cups-browsed
Hopefully these distros will release updated packages that turn cups-browsed off by default.
Re: (Score:1)
True, it is indeed cups-browsed bound to 0.0.0.0:631.
Re: Not CUPS! (Score:2)
Only UDP port 631 is used by cups-browsed, and it's the problematic thing. The TCP port 631 is used by the main CUPS code and is (relatively) benign.
I remember (Score:5, Interesting)
The point is that too many fscking people hook shit up to the global Internet that shouldn't be. Hell, I remember when Windoze 95 was a thing it was a sport to go surfing people's "private" stuff they published to their entire university and the Internet. I remember running across some douche's video of his girlfriend that I emailed back to her to tell her (from his address) about it after I got his entire address book and email archives.
I remember back in 2017 when a hurricane hit the Texas gulf coast. People were panicking and running the gas stations dry. I used an exploit to vector friends and family into places that still had gas from my hotel room. I used Shodan. For better or worse, there was some kind of gas telemetry system that a lot of gas stations were using that would publicly squawk its kind of gas, volume remaining, water contamination, and God only knows what else to the global Internet. I did find out that the regional hospital had some ungodly amount of jet fuel stored in a tank under their parking lot.
Re: (Score:2)
too many fscking people hook shit up to the global Internet that shouldn't be.
Strongly agree but are printers really a good "target" here?
Look, I don't want my fridge connected to the Internet. Smart fridges are the biggest "who is this for?!" product that I can think of. ... I mean, I own one, but it is not connected directly to the Internet. I have a small Linux mini-pc that I set up for streaming entertainment.
I don't like "smart" TVs either
But I've had printers connected to my local network for a lot longer than the "Internet of Things" has ever been a thing.
I'm not even the type
Re: (Score:3)
Note that this vulnerability isn't in printers -- it's in systems running the cups-browsed service. You may even be running this (without realizing it) when you don't have any printers at all, though when I read up on the vulnerability it was triggered by you actually printing to the "fake" printer -- though Akamai seems to be referring to something related but also different.
Printers themselves are notoriously insecure. Nevermind the way that you can spit text at 9100/tcp and it spits out paper (so just
Re: (Score:2)
You can't fix people. The internet could have been fixed at some point in the past though. The problem is that the internet is only designed to be robust against outside interruption instead of the people on it.
All internet participants should be contractually obligated to do ingress/egress filtering and there should be some way to push filters upstream [ietf.org]. Then the people who put amplification services on the internet get on a blacklist and everyone can just ignore them, without having to use Cloudflare/Akama
Re: (Score:2)
Meant to say "Now it's a trillion dollar business to patch the broken by design internet".
Re: (Score:2)
You can't fix people.
Indeed, you cannot. Some are not broken, but they are the minority that has an adequate view on their own skills. But most people do not even know what they do not know and do not understand. Dunning-Kruger "far left side" cases are the norm and then you have something like 30% of all people who are even dumber.
With Linux, you used to be able to keep the dumb ones at least out of the group that develops and provides software, but with an increasing influx of Windows people, that is getting harder and harder
Re: (Score:2)
The point is that too many fscking people hook shit up to the global Internet that shouldn't be.
What kind of fscking moron hooks up a printer to a network without authentication?: A moron that now is out of expensive ink / toner and paper.
Honestly, this is a problem that should correct itself after a few trips to Amazon / Staples every time they need to print something.....
Re: (Score:2)
I did find out that the regional hospital had some ungodly amount of jet fuel stored in a tank under their parking lot.
Probably for their emergency generators.
Re: (Score:2)
I did find out that the regional hospital had some ungodly amount of jet fuel stored in a tank under their parking lot.
Probably for their emergency generators.
Almost surely. Also for their medical evac helicopters. It's just disturbing that they effectively broadcast their inventory all over the Internet.
If this is so easy to hack... (Score:3, Interesting)
...why not write a worm that discovers affected systems and disables cups-browsed on them? Seems less dangerous than letting them all become DDoS bots.
Re: (Score:3)
Re: (Score:2)
There have been some similar cases where security forces have managed to get a court order allowing them to do similar things. Not actual worms, but scanning and running code on the vulnerable devices to disable the function.
Re: (Score:2)
Yes. But these people only get interested if they smell a "large victory" that can make them look good in the press. They are not interested in actually securing the Internet. Same principle as in, for example, the "War" on drugs. If they were serious, that one would have been won by now (probably at excessive cost to freedom and society, but still). But they are not. What that "War" delivers is a nice stream of "victories" that look good in the press and keeps the middle-class in fear, full prisons and job
mere seconds ? (Score:2)
Sure this might be a problem, but stop the hyperbole train.
Re: (Score:2)
Recent DDoS numbers were 400million RPS, which I guess makes 10 seconds to do the whole of IPv4 space, where most applicable devices on the internet will be found, so I guess the answer is in fact yes, though they would want longer than that to prepare the attack.
Re: (Score:2)
I could certainly send a single packet to every IPv4 address in a short amount of time. I don't know how fast you are requiring for "that fast", but with a typical gigabit home internet connection I imagine I could do it in under a few hours, and with more hosts I could do it that much quicker.
But there's not even a need to hit the entire IPv4 address space -- tools like Shodan can tell you which hosts have it open, so with that you could do it to every host with that open in seconds.
Re: (Score:2)
Let me see. Let us assume I do it from home with 1Gbps symmetrical. Say, the packet is 1kB so some actual attack code can be put in there. Let's call it 10kb on the wire. Then I can send out 100'000 of these per second. Very roughly, the IPv4 space is 4 billion addresses. That makes about 12 hours for a complete attack attempt.
So, yes, it is not only possible, it is _easy_ to do it "that fast".
Scare tactics from a CDN (Score:2)
Sounds like somebody is falling short on sales projections and is trying to drum up new business by scaring website operators "YOU COULD BE ATTACKED!!"
Remember people mocking this exploit on slashdot? (Score:2)
Re:Remember people mocking this exploit on slashdo (Score:4, Insightful)
I stand by my comments back then. This affects _zero_ of my Linux machines, and I have about 10, all with different installations. The claim as to "every Linux machine is vulnerable" was nothing but a direct, highly unethical lie by a complete asshole.
Re: (Score:2)
Re: Remember people mocking this exploit on slashd (Score:2)
I was on that thread and yes, I criticized the article. I mocked it and I called it "fake news" and "FUD". And you know, everything I said and guessed there came true in the end. So, in retrospective, there is nothing I wrote in that thread that I need to be ashamed of.
With all that said, I need to say that the described vulnerability is real. I never denied that, I only criticized and mocked its gross misrepresentation.
RHEL cups-filters rpm was just updated to fix this (Score:1)
An update for cups-filters rpm was just issued by Redhat (and subsequently by Rocky, etc) to fix this.
Now you must explicitly list your printer server in the cups-browsed.conf file before cups-browsed will work.
Before this update it defaulted to looking for any printer it could find on your network.
Re: (Score:2)
Before this update it defaulted to looking for any printer it could find on your network.
Which is insane. Essentially, whoever was responsible for that design has no clue at all how to write secure software.
Re: (Score:2)
It's worth nothing that cups-browsed does not run by default in the most current version RedHat, Rocky, Alma, or Fedora Linux. So for most users, the defaults in cups-browsed.conf don't matter that much. But changing the default conf file is definitely a good and welcome idea, should the user ever enable browsed for whatever reason.
But only if you expose printers or have a Mac. (Score:1)
Re: But only if you expose printers or have a Mac. (Score:2)
Macs use a sandboxed user account to run CUPS, from what I recall. Have you seen something to the contrary?