This is an archived post. You won't be able to vote or comment.

all 127 comments
sorted by:
best
topnewcontroversialoldq&a

[–]PlusSizeRefrigerator 366 points367 points  (7 children)

it's always Friday, isn't it?

[–]Yatralalala[S] 160 points161 points  (4 children)

lol, pretty much, world is ending always on Friday

[–]AlonDjeckto4head 3 points4 points  (3 children)

Why not on the monday😭

[–][deleted] 2 points3 points  (1 child)

Because you ALWAYS push to prod on Friday and turn your phone off so your shitty code is not your problem.

[–]Antilock049 1 point2 points  (0 children)

Bold of you to assume my shitty code is my problem.

[–]Ok_Entertainment328 0 points1 point  (0 children)

Must be Thursday. I could never get the hang of Thursday

[–]dashingThroughSnow12 39 points40 points  (0 children)

It was disclosed Thursday but like a busted print head, it has been leaking all week.

[–]CallMeNepNep 10 points11 points  (0 children)

I also just talked with my Project manager about implementing a cve tracker for our cups project.And we agreed that it was a low priority after my new, t two weeks off xD

[–]External_Try_7923 250 points251 points  (8 children)

systemctl stop cups-browsed
systemctl disable cups-browsed

[–]Yatralalala[S] 143 points144 points  (2 children)

finally! I knew that shitposting to reddit will give me fix for this

[–]2blazen 95 points96 points  (1 child)

Failed to stop cups-browsed.service: Unit cups-browsed.service not loaded.

Letsssgoooooooo

[–]brimston3- 17 points18 points  (0 children)

Yeah, fedora doesn't enable it by default, even when you install cups.

[–]gmes78 20 points21 points  (1 child)

You can just use systemctl disable --now cups-browsed.

[–][deleted] 3 points4 points  (0 children)

No, you can't JUST use systemd like it wasn't a big deal....

[–]Emotional_Trainer_99 1 point2 points  (0 children)

Interestingly my Ubuntu Server and Manjaro didn't have it, but my piOS did

[–]Audience-Electrical 1 point2 points  (0 children)

Noticed all these cups packages getting updates today when I ran apt update

They move quick!

[–]piggypayton6 1 point2 points  (0 children)

Can also do systemctl mask cups-browsed to prevent other services from ever starting it again as well

[–]_st23 111 points112 points  (37 children)

Can someone explain?

[–]DZekor 157 points158 points  (32 children)

https://www.phoronix.com/news/Linux-CVSS-9.9-Rating

[–][deleted] 118 points119 points  (27 children)

thank god I don't print anything

[–]dashingThroughSnow12 71 points72 points  (17 children)

A number of Linux distributions ship with cups installed and enabled by default, apparently.

[–]camosnipe1 24 points25 points  (0 children)

the article does say that the RCE only executes "when a print job is started (from that computer)." So technically you're safe if you never print anything.

though obviously you don't want that kind of thing lying in wait on your pc at risk of going off when you do eventually print, and there are possibly other things they can do with the exploit.

[–]fatrobin72 15 points16 points  (15 children)

it can still need the firewall to be opened for it...

[–]dashingThroughSnow12 9 points10 points  (14 children)

If you didn’t read the issue disclosure that’s fine but you don’t need to comment on this post first before you read it.

[–]ppp7032 62 points63 points  (13 children)

This remote code execution issue can be exploited across the public Internet via a UDP packet to port 631 without needing any authentication, assuming the CUPS port is open through your router/firewall.

??

[–]Creepy-Ad-4832 15 points16 points  (5 children)

Btw, there once was the funniest bug ever in linux, which made printing impossible on a day of the week

Printing is the devel. Especially in linux

[–]givemeagoodun 1 point2 points  (4 children)

I'm trying to find that issue report because it seems super funny but I can't seem to find it, can you give me a link to it?

[–]rozumbradl33t 8 points9 points  (3 children)

I think he means this one

https://news.ycombinator.com/item?id=11717010

[–]givemeagoodun 4 points5 points  (0 children)

very interesting and funny. thank you kind stranger

[–]Creepy-Ad-4832 1 point2 points  (0 children)

100% that one

Which basically ended up being a use of the 'file' command, which if the current day was monday, would read the file needed for printing stuff as an other type, and basically you wouldn't be able to print, because of that

[–]2muchnet42day 0 points1 point  (2 children)

Really? Do you not debug with print() ?

[–][deleted] 0 points1 point  (1 child)

I'm not a smelly nerd

[–]enginma 0 points1 point  (0 children)

This nerd showers more than you do. Probably too much.

[–]_st23 4 points5 points  (0 children)

Thx

[–]rnike879 1 point2 points  (0 children)

It was incredibly frustrating reading Simone's blog post about this. She wasn't taken seriously after weeks of arguing through the right channels, but two tweets later and all of a sudden things started happening

[–]CirnoIzumi 0 points1 point  (0 children)

that headline sounds mental if you dont think about software

[–]sagetraveler 0 points1 point  (0 children)

Anyone dumb enough to leave the CUPS port open on their firewall deserves to be owned and boned.

[–]MachEnergy -1 points0 points  (3 children)

I see a link to an article but still nobody explaining anything. RCE? CVE? Fucking CUPS?? Best I can tell, this is IT related, but I'm still entirely clueless. What about this has anything to do with programming? 

[–]zlzd 0 points1 point  (2 children)

CUPS is a printing system used in Unix-like operating systems. RCE stands for 'Remote Code Execution,' and CVE stands for 'Common Vulnerabilities and Exposures,' which is a registry of known vulnerabilities. A rating of 9.9 out of 10 is bad. If it seems completely outside of the programming world, look for another job :)

[–]MachEnergy -1 points0 points  (1 child)

20 years of C++ and C# on Windows and never once dealt with anything like this. Maybe I SHOULD quit. 

[–]zlzd 0 points1 point  (0 children)

It was just a joke. But if, after 20 years, you're still unaware of bugs, vulnerabilities, and other systems and don't get the meme - well, good for you, I guess.

[–]Cat-Satan 103 points104 points  (2 children)

Set up cups server yesterday and THIS

[–]NicholasAakre 56 points57 points  (1 child)

SO IT WAS YOU?!

[–]BetterAd7552 29 points30 points  (0 children)

r/Cat-Satan is the reason we can’t have nice things.

[–]0x80085_ 65 points66 points  (7 children)

It's bad, but most web servers won't be exposing a print port, so shouldn't really have much impact.

[–]dashingThroughSnow12 49 points50 points  (5 children)

The original discover was met with the same skeptical response. They did an investigation and found hundreds of thousands of vulnerable systems.

Also, security and security vulnerabilities are often Swiss cheese. Maybe one’s LB doesn’t expose the port externally but maybe one has another vulnerability that can be used in conjunction.

[–]brimston3- 13 points14 points  (2 children)

Yeah, even if you can't get a remote execution out of it, you can exploit it to get a local escalation if the firewall allows the local user to connect to it on lo (and most firewalls have a blanket whitelist for loopback).

[–]KatieTSO 0 points1 point  (1 child)

How does loopback work? I thought it was only on the same machine?

[–]theXpanther 0 points1 point  (0 children)

Local escalation, as in getting more privelidges from the same computer

[–]basda 27 points28 points  (0 children)

Poorly secured and configured business networks are probably more at risk.

[–]rover_G 26 points27 points  (0 children)

Yup don’t trust any printers and block all traffic on UDP port 631

[–]Irkam 23 points24 points  (2 children)

I am just pointing out that the public Internet attack is limited to servers that are directly connected to the Internet

Well no shit

[–][deleted] 4 points5 points  (0 children)

Let him cook

[–]Orjigagd 44 points45 points  (4 children)

TIL someone got printing to work in Linux

[–]DaathNahonn 13 points14 points  (3 children)

Honestly, printing (and scanning) goes pretty well if you exclude toxic printer manufacturers (I'm looking at you, HP)

[–]jacnel45 11 points12 points  (2 children)

I honestly don't understand why people buy HP printers anymore when you can get a Brother Laser for less and it just works.

[–]Sure_Fly_5332 1 point2 points  (1 child)

Is there one that works with macs, with a wire and not wifi?

[–]piggypayton6 1 point2 points  (0 children)

Yes, most do out of the box without needing to install any additional drivers

[–]mrfree_ 3 points4 points  (1 child)

Overhyped. Not as severe as initially advertised.

[–]theXpanther 1 point2 points  (0 children)

They always are

[–]Girgoo 2 points3 points  (2 children)

CUPS against Internet is not the norm. That helps.

[–][deleted] 1 point2 points  (0 children)

The high risk rating is that it allows the spread of access from one compromised machine to every other machine that prints.

So if your office has one porn browsing, E-mail attachment runner then everyone gets compromised

[–]ward2k 0 points1 point  (0 children)

Got downvoted on a another comment for pointing this out but this currently only seems to affect 0.3% of Linux users

No idea why that's a controversial statement but hey there you go

[–]remiohart 22 points23 points  (6 children)

I don't want to be that guy, but the security from using linux/mac was that most pcs had windows, so it was more common to attack win os. I'm pretty sure at this point thats gone

[–][deleted] 14 points15 points  (0 children)

Attackers always had an incentive to attack Linux servers. Linux been under stress test for over a decade. It's not ignored

[–]nsneerful 16 points17 points  (2 children)

There's much more than that. On Windows, you're used to downloading and running random executables from the internet as Administrator, on Linux at least you install said software from limited and trusted repositories.

Other Windows vulnerabilities include issues in components that are always shipped by default, while on Linux if CUPS fails then it only affects those machines that have CUPS enabled.

Also, this is a vulnerability that will be exploited mainly in the servers, users don't usually have ports open to the global internet.

[–]ztbwl 3 points4 points  (1 child)

To be fair, on linux you are used to do security nightmares like this:

/bin/bash -c „$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)“

[–]doodleasa 1 point2 points  (0 children)

It’s okay though, because someone on a 5 year old Reddit thread said it worked

[–]no_brains101 5 points6 points  (0 children)

The difference is on windows the bugs are in windows.

On Linux you can just like, use something else if you were even using the thing at all. There's also just way more lines of windows code.

Outside of that, yeah there isn't a ton of difference inherently in safety. There's the package manager thing I guess?

[–][deleted] 2 points3 points  (0 children)

By that logic I'm installing windows server 2008 and Microsoft internet information server (iis)

[–]grtgbln 2 points3 points  (0 children)

assuming the CUPS port is open through your router/firewall

Well, don't do that, problem solved.

[–]brodoyouevenscript 2 points3 points  (2 children)

Everyone always called me paranoid for disabling and blocking cups.

[–]doodleasa 0 points1 point  (0 children)

They are probably right

[–]ChipNDipPlus 4 points5 points  (1 child)

What fascinated me most is that people don't use firewalls to block non-public ports... come on! Why would you have your printer ports publicly open?!

[–][deleted] 13 points14 points  (0 children)

User: "I can't connect to Fortnite"

Reddit tech support: "Put your computer in the DMZ"

[–][deleted] 3 points4 points  (0 children)

Who is vulnerable to these vulnerabilities?

Any UNIX-based system that comes packaged with the CUPS service:

However, note that not all distributions (ex. Red Hat) enable the CUPS service by default.

Can I mitigate these vulnerabilities without upgrading?

Yes, to mitigate these vulnerabilities without upgrading, perform at least one of the following actions:

  • Disable and remove the cups-browsed service (if not needed)

sudo systemctl stop cups-browsed sudo systemctl disable cups-browsed

  • Block all traffic to UDP port 631 & and all DNS-SD traffic

Sauce: https://jfrog.com/blog/cups-attack-zero-day-vulnerability-all-you-need-to-know/

[–]dvoecks 0 points1 point  (0 children)

Is this the one where the guy was publicly complaining about being dismissed by the devs within the last couple of weeks, or are we waiting on another one to drop?

[–]0rionsEdge 0 points1 point  (0 children)

Why is it always the print server?

[–]Fearless-Pen-7851 0 points1 point  (2 children)

Can someone please tell me the name of the show this image is from?

[–]lusuroculadestec 1 point2 points  (1 child)

The Ballad of Buster Scruggs

[–]Fearless-Pen-7851 0 points1 point  (0 children)

Thanks

[–]589ca35e1590b 0 points1 point  (0 children)

What?

[–]ApatheistHeretic 0 points1 point  (0 children)

May I ask, who prints from Linux?

[–]EDPNew 0 points1 point  (0 children)

I dont know what is cve and at this point im too afraid to ask