I vulnerability affecting every Linux distro (and BSD and OSX, anything
using CUPS) was vaguely announced last week by someone who was tired of
being ignored.

The vulnerability IS bad, apparently, but not the overhyped end of the
world it sounded like.

Turns out that cups-browsd, which you do NOT need most likely, is the
cause. Just shut it off and you should be fine. Your firewall should
already be blocking port 631 (TCP and UDP), right? right???

From the REVISED article:
<quote>
After days of anticipation, what was billed as one or more critical unauthenticated remote-code execution vulnerabilities in all Linux
systems was today finally revealed.

In short, if you're running the Unix printing system CUPS, with
cups-browsed present and enabled, you may be vulnerable to attacks that
could lead to your computer being commandeered over the network or
internet. The attacks require the victim to start a print job. Do not be afraid.
</quote>

(A collective sigh causes the butterfly effect)

Here are the details https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

LANS with zeroconf, mDNS and/or DNS-SD active might need to be carefully
looked at. Usually I leave this kind of stuff OFF except for unique applications that want to talk to each other this way. mDNS on Linux
requires shutting off the provider [I forget what it is] which is
probably enabled by default. If you do not need it I suggest shutting
it off, to be safe. It's irritating (to me), slows down lookups of the ".local" domain I set up in the late 90's because "it was recommended"
to use something like ".local" except mDNS took it over and I do not
want to change to ".LAN". Whatever, right?

But, if you have all of those ports blocked at the firewall, at least
for WAN, you should be fine. Reminder: 631, 5353
(look for zeroconf / avahi / bonjour listeners)

Additionalinfo: https://book.hacktricks.xyz/network-services-pentesting/5353-udp-multicast-dns-mdns

Recomendations:
<quote>
* Disable and remove the cups-browsed service if you don’t need
it (and probably you don’t).
* Update the CUPS package on your systems.
* In case your system can’t be updated and for some reason you rely on
this service, block all traffic to UDP port 631 and possibly all
DNS-SD traffic (good luck if you use zeroconf).
</quote>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Big Bad Bombastic Bob wrote:

I vulnerability affecting every Linux distro (and BSD and OSX, anything
using CUPS) was vaguely announced last week by someone who was tired of
being ignored.

The vulnerability IS bad, apparently, but not the overhyped end of the
world it sounded like.

Turns out that cups-browsd, which you do NOT need most likely, is the
cause. Just shut it off and you should be fine. Your firewall should
already be blocking port 631 (TCP and UDP), right? right???

Wait, what? The latest world-ending bug is actually a bug in *a networked printing daemon*?! Seriously?!

(A collective sigh causes the butterfly effect)

Yep.

--
The other two got to meet digestive juices.
Worst consolation prize ever.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)