Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Thanks, I missed that. But that still leaves us with only 300 thousand exploitable instances in the whole public IPv4 address space. This is nowhere near a universal GNU/Linux RCE. Of course it's still a big deal to those affected servers, but it's nowhere near even RegreSSHion.


No, the author said that the peak concurrent connections was 300k. That tells us there are at least that many vulnerable hosts publicly exploitable, but there could be many more that are transiently exploitable.

Also, this attack is easily triggered from any LAN, such as an airport or university or corporate or coffee shop network. And it is persistent: the attacker persistently registers a "printer" on your system (potentially overwriting a real printer that you actually have), and later when you print, even disconnected from the internet, you can trigger the RCE.


Ehh most public wifi spots segment clients... You will be unable to send traffic to neighbors...


Most run by commercial enterprises do, because they have teams running them that care about security.

Your average non-large-brand coffee shop or ho(s)tel? They stick some cheap ass router in and disable the wifi password to get a public wifi for their guests.


Reminds me when used to redirect or/and replace images on sites in cafés with zANTI.


If it's an open network, and there are still quite a few of those, it's not hard to broadcast packets over the air and fool the receiver into thinking they're coming from the connected AP.


That's nearly as many as Code Red and roughly 100K more than SQL Slammer.


Add every macOS-running device to the picture (who disables cupsd?)...


My mac right now running Sonoma 14.6.1, with no system modifications or MDM:

    ≻ ps aux | grep -i cups
    xxxxx    31407   0.0  0.0 410741456   1600 s000  S+    3:18pm   0:00.01 grep --color=auto -i cups
cupsd is not running. If I go to print something cupsd will start up, and after a while of idle it'll shut down again.


The socket activation thing it has with systemd as well, but I don't know if there are facilities for automatically shutting it down like that as well.

That's a nice touch, and it'd be cool if Linux distros added that.


Same here. Also, using netstat for the PID you can see that it's only listening on localhost ipv4/ipv6.


Generally, CUPS on a Mac is bound to localhost. It is highly atypical for a Mac to make it so any computer on the internet or even local network can make requests to its cups server.


The problem isn't CUPS itself, it's the automatic printer discovery mechanism. That's cups-browsed on Linux, not sure how it's achieved on a Mac.

And the printer discovery service can't be firewalled: by definition, it has to listen for outside connections to be in any way useful. This is where things like Windows' trusted VS untrusted networks make sense: it's perfectly nice to allow printers to register to your system on your home network, it's a horrible idea when you connect to an airport wifi.


CUPS is also part of iOS and iPadOS.


If those ship cups, why do they require special AirPrint-compatible printers?


I dunno. I assumed that

> The standards-based, open source printing system developed by Apple for iOS®, iPadOS®¹

ships on iOS® and iPadOS®.

But maybe it doesn't. ¯\_(ツ)_/¯

In seriousness, exposing only a very limited interface to a flexible, capable system seems to me very on-brand for Apple.

Maybe they don't iOS and iPadOS to be of the kind of platform where one thinks about drivers, even if exposing CUPS features to users would let users accomplish more without much trouble.

Or maybe they see printer drivers as essentially a legacy feature in the face of a 'driverless' future.

Not my cup of tea, but both seem like things leaders at Apple would do/think.

--

https://www.cups.org/


CUPS predates iOS by a decade and wasn't developed by Apple.

Apple CUPS is a distinct distribution of CUPS.


Yes, and CUPS was used on macOS, from which iOS was forked before Apple releases the first iPhone. And from that same year (2007) until 2019, Apple employed the creator and chief maintainer of CUPS, which is presumably how they got their hands on the cups dot org domain. Then (as is typical of Apple's treatment of open-source), Apple stonewalled outside contributions and public releases became increasingly sparse and insignificant. So the creator and longtime ch8ef maintainer of CUPS, now outside Apple, created a new fork under the OpenPrinting banner. Thus CUPS became 'Apple CUPS' and the 'CUPS' everyone else cared about was now OpenPrinting CUPS.

My point was that Apple's language on the website indicates that they probably use CUPS on iOS and iPadOS, not that that language describes CUPS' origins or is informative about the nearly three decade history of of the software or the current landscape of its forks. (Although in fairness to Apple here— a company of which I am not a fan— 'developed by' doesn't mean the same thing as 'authored by' or 'created by'.)


macOS has a firewall on by default.


That doesn't help if the goal is to allow printers to register automatically to your system.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: