:: Re: [DNG] Critical CVE?
Top Page
Delete this message
Reply to this message
Author: Marin Ivanov
Date:  
To: dng
Subject: Re: [DNG] Critical CVE?
Hi Rob,

The daemon needs root for port < 1024 binding and maybe some opened files.
However, I don't see a reason why the daemon should keep and not drop
the root privileges after that.

Maybe they did not want to fix it upstream and was left for the distros
to patch.

Kind Regards,
Marin

On 27/09/2024 13:40, Rob van der Putten via Dng wrote:
> Hi
>
>
> On 27/09/2024 11:43, Didier Kryn wrote:
>
>> Le 26/09/2024 à 23:05, Nick via Dng a écrit :
>>> On 26-09-2024 22:55, Peter Duffy wrote:
>>>> These have appeared in the last hour or so:
>>>>
>>>> https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840ee1
>>>>
>>>> https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
>>>>
>>>>
>>>> CUPS  (specifically cups-browserd)
>>>>
>>>> Personally, I'm waiting for a few analyses of the above before I do
>>>> anything drastic.
>>>>
>>>> On Thu, 2024-09-26 at 14:33 -0500, golinux via Dng wrote:
>>>>> On 2024-09-26 13:53, Martin Steigerwald wrote:
>>>>>> Hi.
>>>>>>
>>>>>> Peter Duffy - 26.09.24, 20:21:15 CEST:
>>>>>>
>>>>>> Or on The Register. And its past 20:00 UTC already.
>>>>>>
>>>>> Nope . . .
>>>>>
>>>>> https://time.is/UTC says it is now 19:31 UTC which is important
>>>>> because
>>>>> today's meet is at 20:30.
>>>>>
>>>>> golinux
>>> It looks pretty serious although I wonder why you would have a open
>>> cups port on the WAN interface. On the distro's I know cups is not
>>> installed by default. And default on 127.0.0.1 if installed.
>>
>>      This is a risk for hosts running Cups in an untrusted LAN;
>> certainly not at home. I don't know for you guys, but it would take
>> me some config work on my internet box to map some incoming port to
>> port 631 of the host running Cups; and why would I do this for? In
>> addition this requires to have a private WAN IP address for the box.
>>
>>      But, in an untrusted LAN the risk may be made even bigger by
>> Cups design: if a host is connected to two networks, its Cups server
>> allows by default to hop from one LAN to the other for printing.
>
> Apart from remote access, can someone explain to me why cups-browsed
> runs as root?
> It is the only network daemon that I know of, that does so.
>
>
> Regards,
> Rob
>
>
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng