https://www.phoronix.com/news/Linux-CVSS-9.9-Rating https://www.omgubuntu.co.uk/2024/09/ubuntu-secuity-fix-cups-vulnerability[/ https://www.theregister.com/2024/09/26/cups_linux_rce_disclosed People have been saying for years in security forums that no unused services should ever be left running. They must feel vindicated.
Embargo on the issue… the reality is those aware of it and inside the confines of the embargo are probably the same people selling the info surrounding the flaw that is then used for malicious intent. If they made it public knowledge rather than sticking embargo’s on it you could have had thousands move to a secondary system without this requirement or made use of a work around such as a block to UDP port 631 as noted. There’s nothing new with this sort of behaviour though and that’s the main issue!!
From what I can see on Reddit, Ubuntu Snap sandboxing made sod all difference, even though they promote snaps as helping to contain zero-day exploits. Which I’m sure comes as no surprise to anyone.
They are introducing a new Snaps security centre so i don't know if there will be finer controls over Snaps lan and wan access.
Snaps can burn in hell. So can flatpak. So can appimage. Honestly containers aren't far behind, neither are *BSD jails. The overhead is astounding. Then the owners of these projects try to do some funky workarounds by separating out the underlying libraries like Qt or GTK into separate packaging, defeating the whole point of these glorified cgroups in a box. /rant
https://www.theregister.com/2024/10/07/critical_cups_vulnerability_chain_easy/ The critical vulnerability in the Common Unix Printing System (CUPS) reported last week might have required some very particular circumstances to exploit, but Akamai researchers are warning the same vulnerabilities can easily be exploited for mass DDoS attacks. As we reported near the end of September when the vulnerabilities were made public, there are a series of four CVEs in CUPS that, when chained together, can allow a remote attacker to commandeer a victim's machine. Of course, there are some limitations: It only works if you're running CUPS with cups-browsed enabled, and can only be exploited when a print job is started. Send a carefully crafted packet to a vulnerable CUPS server, and none of those special conditions are needed to wreak havoc: if an attacker asks a CUPS server to treat the target of a DDoS request like a printer to be added, all bandwidth hell breaks loose. "For each packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target," Akamai researchers said. "As a result, not only is the target affected, but the host of the CUPS server also becomes a victim, as the attack consumes its network bandwidth and CPU resources."
That starts to give the CVE score more sense. I bet there are thousands of linux-based home gateways out there that have never seen a firmware update and potentially have CUPS and CUPS-browsed installed.