Slashdot Mirror
CUPS Security Vulnerabilities
Buck Naked writes "A slew of vulnerabilities was discovered in CUPS, from the advisory: 'Exploitation of multiple CUPS vulnerabilities allow local and remote attackers in the worst of the scenarios to gain root privileges...' The full advisory can be found at iDEFENSE."
Common sense applies. The outside world doesn't need access to your printers, so firewall it and remember to patch it once in a while and you might be safe...
While many might chime in here saying this story would be better suited on security sites, I for one just heard about it now. I also plugged about 3 vulnerabilities because of it.
CUPS, as far as I'm concerned is the killer app for printing in the *nix world. And just like another poster mentioned, why on earth would someone not be firewalling their printer? So once again it comes down to the competency of the system administrator. As for the MS trolls out there who will use this as an excuse to pan OSS, I'd like to point out that at least with CUPS and projects like it we won't have to wait for the maintainers to admit there's a problem, and then wait a month or more for a fix. This is news only in that security vulnerabilities need to be dissemenated as widely as possible
If thou see a fair woman pay court to her, for thus thou wilt obtain love
Shouldn't a sysadmin be subscribed to bugtraq, in which case you would have read about it while at work?
That's sort of what I thought... Forgive me for being dense, but why do you need to replace the whole print subsystem to make up for bad drivers?
My Ass hurts.
Well, my copy of of Gentoo linux (currently installed), FreeBSD (currently installed), and OpenBSD (currently installed) cost me nothing at all. Were as, my one little pathetic copy of Win2k (unfortunately, currently installed) cost me over $300. Sure, *NIX is a little harder to use (poor baby doesn't want to work/learn?) but, you get a more secure OS solution (especially with OpenBSD) for 0/50 the price of Windows.
People don't move to open source software because there are more lazy people in the world. Well, I'll stick to *NIX.
Plus, instead of having to hire a small amount of people to go through and try to find such large amounts of bugs (Windows), you get every programmer across the globe to look (those who know about your project of course) for free (open source).
Are you telling me that you don't see the connection between government and laughing at people? - Interviewer
Why do daemons still run as root? All of these things should be running as unprivileged users, with lots of restrictions on what they can do. Processes need to be root to bind low ports? Then let's run these services on higher ports, or fix the kernel so any process can bind to lower ports. The unix "security model" is so brain-dead. The most dangerous input (stuff from the net) is handled at the highest privilege level (root). This is just idiotic.
Alright I'll feed the trolls.
> So these dangerous exploits were found by a source code review (as opposed to a script kiddy striking it lucky), which was only possible due to the open source nature of CUPS.
"Script kiddie striking it lucky"? Last I checked, script kiddies don't discover security holes. The let other people do that then download working exploits and once in a while one of them is simple enough to be operated without a brain.
> Now that this advisory has taught hackers how to compromise a great many lunix machines
Read the advisory. There's just the mention of the vulnerablity, no published exploit. Overlap the group of people capable of understanding the vulnerability and writing an exploit for it with the group of people who would waste their time doing so, and you're left with a very small number.
> isn't it worth considering that CUPs would have been so much more secure had it been a closed source project? It's simple logic that only the most blatant troll could disagree with; source closed --> exploits never found --> hackers can't exploit CUPs.
Reverse engineering? Cracking a machine that contain the source code? Intercepting communications between developers? Security through obscurity doesn't work, period. I can go on for days about that, but there are people far more articulate than I who would be happy to do so.
> How many people might've come to know about them in that time?
I would estimate that no more that 4 to 6 people had complete access to all of the problems before they were made public.
To the best of my knowlege none of these problems were ever exploited in the wild. (And if they were, as long as people patch their systems, they won't be.)
I found these problems by auditing the source, and not because of any rumors of active exploitation.
Open source software is sometimes considered to be more secure than closed source because you can see the source code.... the same reason other people say that it is less secure.
For being able to see the source code to make any difference at all, someone actually has to look at it, which doesn't appear to happen as often as either side claim does.
All it takes for a piece of software to be insecure is one exploitable problem, whether it is open or closed source.
What helps keep people secure is publicity that there is something wrong.
It's no use there being patches made available if nobody knows there was a problem... this article has probably done more for getting peoples boxes patched than all the security lists combined.
Anonymous Coward complained that it was a month between the holes being discovered and the patch being released... check out the problem's I found with the posterboy of open source in business, Netscape/Mozilla... 4 months to get some of them fixed... and when they released a buggy version and patched it 2 days later (or something like that) people actually CONGRATULATED THEM!!! Publicity over the bugs in Mozilla/Netscape was minimal to say the least...
Look at Code Red. Publicity caused that to be much less of a problem than it could've been.
The more exploits the 'bad guys' have, the more likely those exploits will be patched.
Having an exploit for a vulnerability that is patched on 99% of boxes is pretty much useless... distributing an exploit with your advisory isn't 'a neccessary evil', it's a bloody good idea.
A complete working script kiddie friendly exploit for every hole that is found should be given away, free of charge. Let the holes that people don't patch get exploited. If you know that within a day of a security advisory being released there will be an easy to use way for anyone in the world to use it against you, are you going to let your guard down?
-- zen-parse
Yeah, heaven forbid that we make it user-friendly, then I'd have to move to some other OS... ;)
Ease of use and versatility don't have to be mutually exclusive, you know. What's wrong with point and print? I can think of few things less interesting than setting up printing. If I can get that fixed with a few clicks, then I would be very happy. Then I could move on to learning something interesting instead.
Meep.
Then fix it yourself, troll. There's nothing from stopping you from FTPing the source down, running ./configure, and running make install. Almost all OSS stuff is THAT easy these days.
If you're using OSS, you need to be able to work it, not just sit there and whine for updates.
I want to delete my account but Slashdot doesn't allow it.
Printing is mission critical. I take care of printing where I work, and I can tell that people haved screamed when something has broken printing. Printing ranks right up there with email as a critical service.
One of my colleaques altered an NDS group which whacked printing for about 150 people. They took away all of his rights because of that.