Thanks, I missed that. But that still leaves us with only 300 thousand exploitable instances in the whole public IPv4 address space. This is nowhere near a universal GNU/Linux RCE. Of course it's still a big deal to those affected servers, but it's nowhere near even RegreSSHion.
No, the author said that the peak concurrent connections was 300k. That tells us there are at least that many vulnerable hosts publicly exploitable, but there could be many more that are transiently exploitable.
Also, this attack is easily triggered from any LAN, such as an airport or university or corporate or coffee shop network. And it is persistent: the attacker persistently registers a "printer" on your system (potentially overwriting a real printer that you actually have), and later when you print, even disconnected from the internet, you can trigger the RCE.
Most run by commercial enterprises do, because they have teams running them that care about security.
Your average non-large-brand coffee shop or ho(s)tel? They stick some cheap ass router in and disable the wifi password to get a public wifi for their guests.
If it's an open network, and there are still quite a few of those, it's not hard to broadcast packets over the air and fool the receiver into thinking they're coming from the connected AP.
The socket activation thing it has with systemd as well, but I don't know if there are facilities for automatically shutting it down like that as well.
That's a nice touch, and it'd be cool if Linux distros added that.
Generally, CUPS on a Mac is bound to localhost. It is highly atypical for a Mac to make it so any computer on the internet or even local network can make requests to its cups server.
The problem isn't CUPS itself, it's the automatic printer discovery mechanism. That's cups-browsed on Linux, not sure how it's achieved on a Mac.
And the printer discovery service can't be firewalled: by definition, it has to listen for outside connections to be in any way useful. This is where things like Windows' trusted VS untrusted networks make sense: it's perfectly nice to allow printers to register to your system on your home network, it's a horrible idea when you connect to an airport wifi.
> The standards-based, open source printing system developed by Apple for iOS®, iPadOS®¹
ships on iOS® and iPadOS®.
But maybe it doesn't.
¯\_(ツ)_/¯
In seriousness, exposing only a very limited interface to a flexible, capable system seems to me very on-brand for Apple.
Maybe they don't iOS and iPadOS to be of the kind of platform where one thinks about drivers, even if exposing CUPS features to users would let users accomplish more without much trouble.
Or maybe they see printer drivers as essentially a legacy feature in the face of a 'driverless' future.
Not my cup of tea, but both seem like things leaders at Apple would do/think.
Yes, and CUPS was used on macOS, from which iOS was forked before Apple releases the first iPhone. And from that same year (2007) until 2019, Apple employed the creator and chief maintainer of CUPS, which is presumably how they got their hands on the cups dot org domain. Then (as is typical of Apple's treatment of open-source), Apple stonewalled outside contributions and public releases became increasingly sparse and insignificant. So the creator and longtime ch8ef maintainer of CUPS, now outside Apple, created a new fork under the OpenPrinting banner. Thus CUPS became 'Apple CUPS' and the 'CUPS' everyone else cared about was now OpenPrinting CUPS.
My point was that Apple's language on the website indicates that they probably use CUPS on iOS and iPadOS, not that that language describes CUPS' origins or is informative about the nearly three decade history of of the software or the current landscape of its forks. (Although in fairness to Apple here— a company of which I am not a fan— 'developed by' doesn't mean the same thing as 'authored by' or 'created by'.)