CUPS Security Vulnerabilities

Buck Naked writes "A slew of vulnerabilities was discovered in CUPS, from the advisory: 'Exploitation of multiple CUPS vulnerabilities allow local and remote attackers in the worst of the scenarios to gain root privileges...' The full advisory can be found at iDEFENSE."

Same shit, different daemon...

[norculf]

Common sense applies. The outside world doesn't need access to your printers, so firewall it and remember to patch it once in a while and you might be safe...

Re:Same shit, different daemon...

[Rubbersoul]

I agree with you at home no one should need to print to your printers from the outside world. In a corporate environment though there are many real world times when printing to different locations may be needed ...

Re:Same shit, different daemon...

[zen+parse]

At least one of these is exploitable via a url... I think that was mentioned somewhere in the advisory. (If not, that is what the remote method is, so you know.)

If you get an email with a specially constructed image link in it, or visit a website with that url, you can be remotely exploited... it ignores the firewall because it is you doing the connecting to it. (Can even put every possible address you might have a printer on your LAN into a page, with every possible offset... or at least the most likely ones... too many malformed connections, and your daemon dies... remote denial of service maybe?)

Filtering connections to port 631 in mozilla/netscape would protect you from this, but it would also stop you being able to use the administration via http features of CUPS, which gives you the proverbial choice between dancing elephants and security, it seems.

Overview:

You MUST patch it to be protected. Firewalling also won't protect you from malicious local users getting root, and it won't stop you being hacked by yourself.

Re:Same shit, different daemon...

[evilviper]

That works fine for you, and a lot of home users, but what about those of us who run a network? Shall we all just assume that nobody that has access wants to break in? Why not just leave the root password blank and save them the trouble? /me Is glad he's using good ol' lpd.

Re:Same shit, different daemon...

[Blkdeath]

Filtering connections to port 631 in mozilla/netscape would protect you from this, but it would also stop you being able to use the administration via http features of CUPS, which gives you the proverbial choice between dancing elephants and security, it seems.

Our LAN's CUPS configuration allows port 631 connections only from administrative workstations. IMHO, that's just common-sense security. This could be enforced with a combination firewall and switch/router ACLs that segregate IP sources. If administrators need to perform administrative tasks while 'on the run', they can always VPN to an administrative area.

As for a smaller LAN, just a simple ACL and firewall configuration should suffice. The biggest assumption, of course, is that those using the administrative workstations are clueful* enough to be wary about opening images in e-mail and what-not.

You MUST patch it to be protected. Firewalling also won't protect you from malicious local users getting root, and it won't stop you being hacked by yourself.

Oh, without question. Sadly, the CUPS website is severely lacking in documentation and security advisories. I tried to check the "More Info" for the December 19th release, but was returned to the homepage. So I've downloaded it and will check the ChangeLog instead.

* (I can't believe I just used that term!)

Its a good thing

[Morgahastu]

Its a good thing most new users can't setup CUPS and just disable ;)

Until RedHat 8 came out that is!

Thanks CowboyNeal and poster

[mao+che+minh]

While many might chime in here saying this story would be better suited on security sites, I for one just heard about it now. I also plugged about 3 vulnerabilities because of it.

Patches out, you can relax

[Erore]

http://www.cups.org/news.php?V87

Whew, I feel much safer now. It's always nice that someone feels ownership for the code, thus that someone takes quick action and fixes the problems. Thank you Michael Sweet for a great print system and quick action.

Re:Patches out, you can relax

[printman]

Check out the CUPS download page - it has MD5 sums that you can validate against your downloaded copies (no sense putting them in files on the FTP server, now is there? :)

Vendor notes...

Michael Sweet [mike@easysw.com] of Easy Software Products said CUPS 1.1.18 will be released December 19, 2002 which addresses all of these issues (http://www.cups.org).

Mark J Cox (mjc@redhat.com) of Red Hat said the following:

"Red Hat Linux 7.3 and 8.0 ship with CUPS, however it is not enabled by default. We are currently working on producing erratum packages. When complete, these will be available along with our advisory. At the same time, users of the Red Hat Network will be able to update their systems
using the 'up2date' tool."

Richard Blanchard (rblanchard@apple.com) of Apple said the following:

"Affected Systems:
Mac OS X 10.2 - Mac OS X 10.2.2
Mac OS X Server 10.2 - Mac OS X Server 10.2.2

Mitigating Factors:

The described vulnerability can be remotely exploited only when Printer Sharing is enabled. Printer Sharing is not enabled by default on Mac OS X or Mac OS X Server.

Fixed in: Mac OS X 10.2.3 and Mac OS X Server 10.2.3"

Impressive List & Response

[goldid]

I'd just like to note how good the response is. The list of vulnerabilities is well stated and very complete. Furthermore, the time line of events is excellent and patching was superb and fast. My OS X box was patched before I even knew about the vulnerability. Thanks to iDEFENSE and zen-parse.

Re:Impressive List & Response

[zen+parse]

> How many people might've come to know about them in that time?

I would estimate that no more that 4 to 6 people had complete access to all of the problems before they were made public.

To the best of my knowlege none of these problems were ever exploited in the wild. (And if they were, as long as people patch their systems, they won't be.)

I found these problems by auditing the source, and not because of any rumors of active exploitation.

Open source software is sometimes considered to be more secure than closed source because you can see the source code.... the same reason other people say that it is less secure.

For being able to see the source code to make any difference at all, someone actually has to look at it, which doesn't appear to happen as often as either side claim does.

All it takes for a piece of software to be insecure is one exploitable problem, whether it is open or closed source.

What helps keep people secure is publicity that there is something wrong.

It's no use there being patches made available if nobody knows there was a problem... this article has probably done more for getting peoples boxes patched than all the security lists combined.

Anonymous Coward complained that it was a month between the holes being discovered and the patch being released... check out the problem's I found with the posterboy of open source in business, Netscape/Mozilla... 4 months to get some of them fixed... and when they released a buggy version and patched it 2 days later (or something like that) people actually CONGRATULATED THEM!!! Publicity over the bugs in Mozilla/Netscape was minimal to say the least...

Look at Code Red. Publicity caused that to be much less of a problem than it could've been.

The more exploits the 'bad guys' have, the more likely those exploits will be patched.

Having an exploit for a vulnerability that is patched on 99% of boxes is pretty much useless... distributing an exploit with your advisory isn't 'a neccessary evil', it's a bloody good idea.

A complete working script kiddie friendly exploit for every hole that is found should be given away, free of charge. Let the holes that people don't patch get exploited. If you know that within a day of a security advisory being released there will be an easy to use way for anyone in the world to use it against you, are you going to let your guard down?

-- zen-parse

CUPS is still the best solution

[jaymzter]

CUPS, as far as I'm concerned is the killer app for printing in the *nix world. And just like another poster mentioned, why on earth would someone not be firewalling their printer? So once again it comes down to the competency of the system administrator. As for the MS trolls out there who will use this as an excuse to pan OSS, I'd like to point out that at least with CUPS and projects like it we won't have to wait for the maintainers to admit there's a problem, and then wait a month or more for a fix. This is news only in that security vulnerabilities need to be dissemenated as widely as possible

Re:CUPS is still the best solution

[cthugha]

Agreed. In addition, CUPS can be set up to only accept local connections (unlike regular BSD lpd), so even if your firewall fails, the printer daemon should still refuse an incoming remote connection.

Re:CUPS is still the best solution

[berzerke]

...why on earth would someone not be firewalling their printer?

In addition to the firewalling, cups can also be portwalled too (see http://www.spotswood-computer.net/portwalling.html for details on this concept). Make sure it's not listening on an internet interface (which it would by default). Assuming your internal interface is 192.168.1.1, comment out the lines

Port 80
Port 631

and replace them with

Listen 192.168.1.1:631
Listen 192.168.1.1:80

and restart the service. Warning: The cups init.d script in Mandrake (at least) will make changes to your configuration file, resulting in cups failing to start if you make the changes listed here. Edit the script and stop it from making the changes before you restart.

Re:CUPS is still the best solution

[_Sprocket_]

1) iDEFENSE discovers a bug in an open source software project, sits on it for a month, reports it and it gets fixed immediately. (Actually, it appears it wasn't iDEFENSE who discovered the vulnerability. It was an unnamed "contributor.")

It might be worth noting that this is a major point of iDefense; payment for exploits. Its also been a source of criticism - be it valid or not.

I have to wonder if the delay was over verification of the exploit and the decission process involved in awarding payment for discovery. If payment wasn't a part of the process, would the system be faster to report? But then - would it have been reported in the first place?

Re:CUPS is still the best solution

[slamb]

In addition to the firewalling, cups can also be portwalled too (see http://www.spotswood-computer.net/portwalling.html [spotswood-computer.net] for details on this concept). Make sure it's not listening on an internet interface (which it would by default)

That's not necessarily enough. See this email about "weak end host". The short version is attackers can access the IP of one interface through another on Linux unless you go out of your way to prohibit it.

Re:CUPS is still the best solution

[Blkdeath]

... about "weak end host". The short version is attackers can access the IP of one interface through another on Linux unless you go out of your way to prohibit it.

This relies, of course, on having IP routing enabled on the Linux box (disabled per default) without having the wherewithall to run NetFilter (or another suitable firewall).

Re:CUPS is still the best solution

[slamb]

This relies, of course, on having IP routing enabled on the Linux box (disabled per default) without having the wherewithall to run NetFilter (or another suitable firewall).

First, I think it's reasonable to assume that nearly anyone with multiple interfaces will have IP routing enabled.

Second, I'd guess most NetFilter configurations wouldn't stop this. You have to have a rule that denies anything coming in from the external interface for the internal IP. (Or that denies the service specifically, but then there's no real point to binding to the inside interface only.) Binding only to "safe" interfaces is sometimes pointed to as an alternative to firewalling services, so it's important to point out where that can fail. With the one rule, it works well.

Re:CUPS is still the best solution

[hackstraw]

I've never heard of the term "portwalling" before, and google only returned 3 matches on the term.

However, this idea is a useful and easy tool to make things a little more secure, especially if you are on a private lan. For completeness, it should be mentioned that xinetd , sendmail, apache, and most well writen daemons support this mechanism. See the bind(2) manpage, basically you provide the source address to be something specific besides INADDR_ANY.

Re:CUPS is still the best solution

[Blkdeath]

First, I think it's reasonable to assume that nearly anyone with multiple interfaces will have IP routing enabled.

Not neccesarily. Sometimes computers are just on multiple networks.

Second, I'd guess most NetFilter configurations wouldn't stop this. You have to have a rule that denies anything coming in from the external interface for the internal IP.

That's part of any proper BOGON filter set, or any decent firewall. Much like I deny all connections claiming to be from/to 127.0.0.1, I deny incoming connections from/to the RFC1918 address space, from my local address space, and from/to any of the unassigned ARIN address space. Claiming that "most" NetFilter configurations don't have such safeguards is, IMHO, a little rash.

Binding only to "safe" interfaces is sometimes pointed to as an alternative to firewalling services, so it's important to point out where that can fail.

If I ever saw someone suggesting it as an alternative to firewalling, I'd call them on it. It's an additional security precaution; not a replacement. I thought it went without saying, but then again this is the world where MCSEs (and other similar paper-hatters) are administering corporate WANs (and by extension, speaking of BOGONs, why the 69.0.0.0/8 address space is presently largely unroutable.)

Re:CUPS is still the best solution

[slamb]

I wrote: First, I think it's reasonable to assume that nearly anyone with multiple interfaces will have IP routing enabled.

Blkdeath wrote: Not neccesarily. Sometimes computers are just on multiple networks.

Thus the "nearly". But I can't even think why you'd need to do that in a well-designed network.

I wrote: Second, I'd guess most NetFilter configurations wouldn't stop this. You have to have a rule that denies anything coming in from the external interface for the internal IP.

Blkdeath wrote: That's part of any proper BOGON filter set, or any decent firewall.

I agree, but I'd still guess that most people don't. I often don't see it in tutorials for NetFilters and similar tools, and I imagine it's pretty common to end up with a firewall very similar to those.

If I ever saw someone suggesting it as an alternative to firewalling, I'd call them on it.

Did you read that portwalling draft that berzerke linked to? I quote:

If you could configure your web server (and for Apache it is possible, and not that hard), to listen for connections on only 127.0.0.1 port 80 and 192.168.1.1 port 80, then no one from the internet could send packets to your web server even without a firewall running!

It does not mention the need to prevent them from accessing one interface's IP from another interface.

Re:CUPS is still the best solution

[Blkdeath]

Did you read that portwalling draft that berzerke linked to? I quote:

[...]

It does not mention the need to prevent them from accessing one interface's IP from another interface.

It does, however, continue to state the need for a firewall in an effective protection setup;

With a firewall and patching, an attacker would first have to get through the firewall, then find another way to connect to service / get around the port walling, and then find an unpatched exploitable vulnerability on that service. Not too likely to happen.

The preceeding paragraph (that you've paraphrased) was worded very poorly, that I'll give you, but this is a) a "Draft", and b) Merely one of the hundreds of thousands of sites offering advice on the Internet. Even still, if a person follows this through to the letter, they'll be atleast partially protected. Of course they'll have to look elsewhere to find documentation for configuring their particular firewall package, as that was wisely left out of that 'draft'.

If Joe Ignorant Homeuser's whiz-bang three computer home LAN is infiltrated because he didn't even implement the most basic safeguards and software patches, well, that's his own fault and I feel no pity for him.

My home LAN uses port and firewalling for all internal services, and that's almost the way it should be. Ideally the only machine with more than one interface on a multi-homed network should be the firewall which, as I'm sure you're well aware, shouldn't be running any daemons.

Re:CUPS is still the best solution

[berzerke]

...This relies, of course, on having IP routing enabled on the Linux box...

I tested it and it still works even with routing disabled. Scary at first glance, but there is ray of hope. Exploiting the "weak end host" depends on several things being perfect.

First, an attacker has to know the ip address of the "other side" (where the services you want to protect are listening). Second, assuming you are using the private address range for your "other side" (which is standard), the attacker must be one hop away. Otherwise, the routers between the two systems would not know how to route the packet and simply drop it. This one hop rule will kill most attacks (but not all!) without further effort on your part.

Finally, this attack can be filtered by a firewall quite easily. Don't allow packets from the wrong interface through to that port. Or, if you are using a private address range, all packets with a destination to the private address range get dropped.

Re:CUPS is still the best solution

[berzerke]

...It does not mention the need to prevent them from accessing one interface's IP from another interface...

You are absolutely correct and it will be corrected. However, it's not a total disaster. As I mention in another reply, if you are binding to a private address range (as the example does), then the attacker must be one hop away for the "attack" to work. This is assuming they know what your private address is. Thus, it's still good advice.

Mac Users OK

[mattvd]

From the linked article:

"Fixed in: Mac OS X 10.2.3 and Mac OS X Server 10.2.3"

Apple just released 10.2.3 today.

Re:Mac Users OK

[Eric+Smith]

Was CUPS not present in earlier releases of Mac OS X?

If it was present, will Apple release fixes for those, or just force everyone to buy the 10.2 upgrade?

Re:Mac Users OK

[BJH]

Apple switched to CUPS in Jaguar - earlier releases don't contain it.

Re:Mac Users OK

[maggard]

Was CUPS not present in earlier releases of Mac OS X?

CUPS was introduced to MacOS X in 10.2 - "Jaguar"

If it was present, will Apple release fixes for those, or just force everyone to buy the 10.2 upgrade?

It's irrelevant to folks prior to 10.2 (unless they've added it manually in which case they can update it the same way) and a free update to those with 10.2.n. Even comes in a combo patch so folks can skip intermediate releases.

No forcing, no extra cost, the patch was released at the same time as the vulnerability announced, got anything else you wanna try and pick on?

good thing...

[nuckin+futs]

Apple fixed it today on their Systems.

"Affected Systems:
Mac OS X 10.2 - Mac OS X 10.2.2
Mac OS X Server 10.2 - Mac OS X Server 10.2.2
Mitigating Factors: The described vulnerability can be remotely exploited only when Printer Sharing is enabled.
Printer Sharing is not enabled by default on Mac OS X or Mac OS X Server.
Fixed in: Mac OS X 10.2.3 and Mac OS X Server 10.2.3" (released today)

Whew!

[DoctorPhish]

I sure am glad I removed CUPS from my mom's debian box before I moved out last week (and took my firewall with me). I still think printing is the worst thing about unix in general (and about GNOME in particular...), but CUPS was relatively easy to set up. Sounds like it needs a serious security audit, though.

Re:Whew!

[friedmud]

Please don't take this as trolling....

But have you seen KDE's print menu/system?? It works directly with cups and is actually easier to use than even MS's printer installer.

KDE 3.1 improved things even more, and now the whole system is very sweet. Give it a try.

Derek

Re:Whew!

[Zigg]

Really. I could never get it to work, and ended up just telling it to use "lpr". It would fail mysteriously. Yes, I have CUPS running.

Re:Whew!

[printman]

Um, CUPS has been audited about a dozen times now by various vendors. The last such audit was conducted almost a year and a half ago and was the source of the last security advisory for CUPS. Yes, that's right, no advisories in a year and a half...

We take security very seriously, and as soon as something comes to our attention (either internally or externally), we release a fix ASAP. This latest advisory exposed some integer overflows (previous ones were buffer overflow/DoS only) which could be used to gain access to the (unpriviledged) "lp" account, and in one case root access (but that required a local attack or a change in the default configuration for a remote attack...

After the report we went through all of the related code as well to determine if there were any other problem spots like those reported; we found and fixed a few in the image file filters (which could only get you "lp" access anyways, one of the reasons we don't run everything as root like old LPD did...)

Security advisories like this only improve the quality and "safety" of the CUPS code, and we welcome all reviews, criticisms, etc. - user/developer feedback has been the driving force behind CUPS development.

Lets see ...

[johnlcallaway]

... do I use this ... uh ... no.

OK, I'm done.

Wish Windoze security updates were this easy......

Re:Lets see ...

[jonadab]

Heh. That was me too. Actually, I _do_ use CUPS at work, but only
the client part of it; I never turned it on as a server, so...

Re:Lets see ...

[MattCohn.com]

Really. Because I just happened to look in my system tray today and saw an icon. I double clicked this icon which said "Updates have been downloaded. Click 'Install' to install them'.

I clicked, browsed slashdot a little, and in a minute or two it told me it was done.

...

...
Yah, that wasn't too hard.

Re:Lets see ...

[_Sprocket_]

Of course... you don't mind a history of unstable updates, an update process that will undo configurations or re-install components that have been removed for security concerns, nor security updates that re-define your license to the entire product.

To each their own. Click away.

After all, who needs to know whats running on their system or their rights as consumers.

CUPS

[rockwood]

An exploitation recently discovered in CUPS has globally rocked and baffled the scientific industry.

It appears that a vulnerability has been found whereby a malicious user can covertly attach a second string to the midsection of the two originating CUPS and 'tap' into the communication between CUP "A" and CUP "B".

Furthermore, said user can attach a third CUP to the end of his/her string and receive a secondary branch off of all data vibrating bwteen the two original CUPS.

Saavy users can then vocally mimic the voice data being picked up and assume the identity of either CUP "A" or CUP "B".

Agency around the world have been placed on full alert as they scramble for a patch to this unforseen security hole!

Damn

[Strepsil]

Couldn't I have seen this just TWO HOURS AGO while I was still at work, and not now when my holidays have officially started? Well, it's not like I didn't expect to be working occasionally during my holiday anyway. A sysadmin's work is never done ...

I say again - damn. It a little blissful ignorance over the festive season too much to ask these days?

Re:Damn

[caluml]

Erm - you use Slashdot to get all your info about holes/bugs etc?

I simply use wget to mirror the updates dir from my local RedHat mirror each night, and log the results. I grep for "saved" in the log file, and if there's anything there apart from "index.html", the script runs RPM -K *.rpm to validate the checksums, and it emails me, and says that there is a new batch of RPMs to install.
I export the updates dir over NFS, and I can mount them on all the other boxes, and update those too.

Re:Damn

[Strepsil]

Erm - you use Slashdot to get all your info about holes/bugs etc?

No, not at all. See - I'd left work today after spending the last couple of days just doing the "must happen this year" stuff. I got home, loaded up Slashdot looking for a bit of a diversion, and what do I see? Work! Just when I thought I'd left it behind. If Slashdot hadn't run this, I'd still be under the impression everything was OK, and that's what really matters, right? :)

For the record, I use apt with RPM to maintain a bunch of RedHat boxes. I have my own internal repository that contains some internally maintained packages, plus a nightly updated RedHat mirror. It won't take me a lot of work to roll out the fixes - I have a script to execute commands on all the remote machines via SSH - but it wouldn't really have served the humour of the message to include that, would it? It would have helped even less than this over-analysis.

I still call for the various security groups to impose a ban on vulnerability announcements between December 14 and January 14, just to give us all a bit of peace, though!

What is CUPS, you ask?

[RumpRoast]

More info here.

I never really understood what made it better than straight up lpd. Perhaps one of you could enlighten me?

Re:What is CUPS, you ask?

[RumpRoast]

That's sort of what I thought... Forgive me for being dense, but why do you need to replace the whole print subsystem to make up for bad drivers?

Re:What is CUPS, you ask?

[drinkypoo]

In general Unix systems have assumed postscript for printing anything other than fixed-width text, which with most older printers, especially character printers, can be done (with no styles mind you) by simply sending the text out the printer port in ASCII.

I really don't know where the dependence on postscript came from in the first place, but it definitely seems that that's how everything in the Unix world wants to print. I guess it was the most obfuscated language supported by lots of printers, so it was naturally desirable to the Unix crowd :) Also AFAIK PCL came a while after it, but maybe it's just that PCL got good enough to use much later.

Re:What is CUPS, you ask?

[Daniel]

I never really understood what made it better than straight up lpd.

A configuration file format which is distinguishable from line noise.

Daniel

Not really news - CUPS vulnerabilities endemic

[commodoresloat]

CUPS have always had known vulnerabilities; they need them to operate effectively. What do you expect when you have a giant hole on one end of the things? But if you plug up the hole, you can't drink out of them. Thus, CUPS will always be vulnerable.

Re:hmm....

[commodoresloat]

i use CUPS. i think it's neat.

I use CUPS too but it's not always neat; I haven't been able to fix the spilling bug that always occurs if I am using CUPS to transfer red wine or coffee while wearing white.

OK, OK, I'll stop....

Re:Is it written by Microsoft

[shaitand]

Nope, you get the *nix security vulnerabilities here as well. You just see alot more microsoft vulnerabilities for some reason... there are also patches for the *nix problems. For some odd reason there is usually no announcement of a fix from microsoft and if there is it comes a couple dozen bugs later.

something else to keep your beverage in

[rabidcow]

Good thing I use MUGS.

I mean what use is a CUP with a HOLE in it?

Re:Secure? You wish.

[greening]

Well, my copy of of Gentoo linux (currently installed), FreeBSD (currently installed), and OpenBSD (currently installed) cost me nothing at all. Were as, my one little pathetic copy of Win2k (unfortunately, currently installed) cost me over $300. Sure, *NIX is a little harder to use (poor baby doesn't want to work/learn?) but, you get a more secure OS solution (especially with OpenBSD) for 0/50 the price of Windows.

People don't move to open source software because there are more lazy people in the world. Well, I'll stick to *NIX.

Plus, instead of having to hire a small amount of people to go through and try to find such large amounts of bugs (Windows), you get every programmer across the globe to look (those who know about your project of course) for free (open source).

"Slew?"

[printman]

OK, for folks that haven't read the advisory, a "slew" is apparently 9.

Of those 9, only *1* of the issues could possibly be used to gain root access, and it depends entirely on the CUPS release, compiler, etc. you use, and for the exploit to work remotely you have to change the default CUPS configuration.

Issue 6 was fixed back in CUPS 1.1.15 (released in June) and is old news.

All but one issue was fixed within a few hours of the report, and the current CUPS release (1.1.18) does not have any of these vulnerabilities.

Re:Am I Affected?

[tres]

At first, I read your subject, Am I affected? and I thought to myself, "this guy must be stupid if he doesn't know whether this has an effect on him.

Then I read the first line, and it was crystal

I use Windows 2000 Server.

Funny, but I don't see 80% of the people posting in support of the crap posing as software coming out of Redmond.

And you--you've got to be AC to admit to using that shit, don't you?

Ugh!! Way too much in a holiday mode ...

[shri]

The first thing that came to my mind was the silly game Chandler and Joey played on Friends, when I read about CUPS. :)

Re:Bugs not found by accident

[archnerd]

Alright I'll feed the trolls.

> So these dangerous exploits were found by a source code review (as opposed to a script kiddy striking it lucky), which was only possible due to the open source nature of CUPS.

"Script kiddie striking it lucky"? Last I checked, script kiddies don't discover security holes. The let other people do that then download working exploits and once in a while one of them is simple enough to be operated without a brain.

> Now that this advisory has taught hackers how to compromise a great many lunix machines

Read the advisory. There's just the mention of the vulnerablity, no published exploit. Overlap the group of people capable of understanding the vulnerability and writing an exploit for it with the group of people who would waste their time doing so, and you're left with a very small number.

> isn't it worth considering that CUPs would have been so much more secure had it been a closed source project? It's simple logic that only the most blatant troll could disagree with; source closed --> exploits never found --> hackers can't exploit CUPs.

Reverse engineering? Cracking a machine that contain the source code? Intercepting communications between developers? Security through obscurity doesn't work, period. I can go on for days about that, but there are people far more articulate than I who would be happy to do so.

Or don't use CUPS

[0x0d0a]

I haven't been a fan of CUPS -- lprng or other alternatives might be a better choice.

Re:I found CUPS to be quite secure

[Zoolander]

Yeah, heaven forbid that we make it user-friendly, then I'd have to move to some other OS... ;) Ease of use and versatility don't have to be mutually exclusive, you know. What's wrong with point and print? I can think of few things less interesting than setting up printing. If I can get that fixed with a few clicks, then I would be very happy. Then I could move on to learning something interesting instead.

Note the dates of disclosure. A long time, eh?

[sanermind]

VIII. DISCLOSURE TIMELINE

10/27/2002 Initial discussion with contributor
11/14/2002 Final contributor submission
12/12/2002 CUPS author notified via e-mail to cups-support@cups.org
12/12/2002 iDEFENSE clients notified
12/12/2002 Response and preliminary patch received from
CUPS author Michael Sweet (mike@easysw.com)
12/12/2002 Apple, Linux Security List (vendor-sec@lst.de)
12/13/2002 Updated patch received from Michael Sweet
12/17/2002 Response received from Richard Blanchard
(rblanchard@apple.com)
12/19/2002 Coordinated Public Disclosure

That's almost a month and a half since the exploit was intially known, to when even the author of the package was informed; it was almost a month just for that! The general public got to know about this even later.

Maybe this is a good thing, but I wonder. Who had access to this dangerous knowledge while the rest of the world slept, unaware of their vulnerability to this. Sure, a truly secure setup wouldn't be running uncessary demons on anything important, but still...

Magic lantern, anyone?

Re:Note the dates of disclosure. A long time, eh?

[chabotc]

While this is true, it is also dangerous to release this info to quickly..

By releasing the info about what is exploitable and how, you make a hackers life really easy.. he no longer has to go thru all the code and try 2 find an exploitable hole. Now he only has to code an exploit and he's done. Thus they decided the vendors need time to fix their software!

On the other hand, a releasing this info after a N-timeframe presures the vendors into patching their software timely.

However, your question assumes that no one could find this vunerability _before_ this company did! Ofcource this is nonsence.. a hacker couldve found this exploitable code many months ago, and as long as he doesnt make it 'to' public, chances are no one will know about it..

Never, i repeat _never_ assume your software is 100% bug free and un-exploitable! A skilled hacker can find an exploit in almost all software given enough time!

The thing to keep in mind is that a hacker is also submited to the rules of economy, the more hacking into the target is worth, the more time he is willing on finding a way in. For most common servers, the worth is not so high (plenty of targets of similar value, so pick out the easy one..) For banks and alike, this doesn
t different ofcource ;-)

Worst scenarios gain root privileges?

[LadyLucky]

Geez, be honest about it already.

The worst they can do is what ever they want to do, if they get root access. Say it like it is. An attacker can execute arbitrary code, get complete control over the machine. Security issues shouldn't be sugar coated like that.

Re:Ho Hum

[Zigg]

Hmm. I like my Debian boxes. :-)

Re:This is so dumb

[Zigg]

Sounds like a job for systrace...

Re:Where is Linux-Mandrake???

[Gothmolly]

Then fix it yourself, troll. There's nothing from stopping you from FTPing the source down, running ./configure, and running make install. Almost all OSS stuff is THAT easy these days.
If you're using OSS, you need to be able to work it, not just sit there and whine for updates.

Re:Am I Affected?

[CameronGary]

Printing is mission critical. I take care of printing where I work, and I can tell that people haved screamed when something has broken printing. Printing ranks right up there with email as a critical service.

One of my colleaques altered an NDS group which whacked printing for about 150 people. They took away all of his rights because of that.