Conversation

Notices

Embed this notice
Not Simon 🐐 (screaminggoat@infosec.exchange)'s status on Friday, 27-Sep-2024 09:49:16 JST Not Simon 🐐
- Viss
- cR0w
- morb
- Simone Margaritelli
FYSA: Simone Margaritelli @evilsocket dropping what appears to be vulnerability details of a Linux RCE in CUPS at 4pm EST (2000 UTC) today or 1 hour from now.
cc: @Viss @morb @cR0w
#cups #vulnerability #RCE
In conversation about 2 months ago from infosec.exchange permalink
Attachments
1. Domain not in remote thumbnail source whitelist: www.now.cc
  
  NOW共享域名-免費域名服務|Free Domain Name Service-NOW.CC
  
  NOW共享域名-免費域名支持A、CNAME、NS記錄及CDN加速的簡單、超快、穩定、安全、免費無廣告的二級域名服務，You.Now.cc
2. screenshot of vx-underground post: There's some noise in the infosec vulnerability and blue team space about an alleged 9.9 CVE score impacting all GNU/Linux systems. Due to lack of details, some users have expressed criticism on the severity of the exploit — with the infamous Heartbleed being a 7.5 CVE. Some expressed concern that the exploit is overhyped, or acting as marketing material for the researcher. Others have noted that they believe the exploit is real and possess a genuine score of 9.9 but question the impact of effecting [sic] all GNU/Linux systems. From what we've seen, nobody knows anything and everyone is just yappin. We'll see what happens when the details are released. When we said users, we mean nerds on social media. Currently posting from the restroom at Apple Bees. [sic]
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/205/392/522/922/849/original/29d3d34d5ac1ec95.png
- Embed this notice
  Not Simon 🐐 (screaminggoat@infosec.exchange)'s status on Friday, 27-Sep-2024 09:49:14 JST Not Simon 🐐
  in reply to
  - Craig H. Rowland
  Tenable: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Frequently Asked Questions About Common UNIX Printing System (CUPS) Vulnerabilities
  This is perhaps the most informative and comprehensive guide to the CUPS vulnerabilities yet. While I question the use of the phrase zero-days, they were publicly announced prematurely due to a leak ahead of a coordinated disclosure date, and proof of concept has been released. Fortunately, it's not the 9.9 doomsday that everyone was hawk tuahing about. Skibidi I don't think anyone reads what I write anyway. Only in Ohio though.
  As @CraigHRowland said:
  The bad news is there is a vulnerability in the CUPS printer system on Linux. The good news is nobody has ever gotten their printer working on Linux so they are safe.
  #CVE_2024_47076 #CVE_2024_47177 #CVE_2024_47175 #CVE_2024_47176 #CUPS #linux #vulnerability #cve
  In conversation about 2 months ago permalink
  Attachments
  1. Untitled attachment
- Embed this notice
  Not Simon 🐐 (screaminggoat@infosec.exchange)'s status on Friday, 27-Sep-2024 09:49:15 JST Not Simon 🐐
  in reply to
  
  Palo Alto Networks advisory: CVE-2024-47076 Informational: No Impact of CUPS Vulnerabilities on Palo Alto Networks Products
  The Palo Alto Networks Product Security Assurance team has evaluated CVE-2024-47076, CVE-2024-47177, CVE-2024-47175, and CVE-2024-47176 in the Common UNIX Printing System (CUPS) as they relate to our products. Based on current information, Palo Alto Networks products and cloud services do not contain affected CUPS-related software packages and are not impacted by these issues.
  Note: PAN on top of the social media scene or have people giving them a heads up.
  #CVE_2024_47076 #CVE_2024_47177 #CVE_2024_47175 #CVE_2024_47176 #CUPS #linux #PaloAltoNetworks #vulnerability #cve
  
  In conversation about 2 months ago permalink
- Embed this notice
  Not Simon 🐐 (screaminggoat@infosec.exchange)'s status on Friday, 27-Sep-2024 09:49:15 JST Not Simon 🐐
  in reply to
  
  SAN ISC: Patch for Critical CUPS vulnerability: Don't Panic
  CUPS may use "filters", executables that can be used to convert documents. The part responsible ("cups-filters") accepts unverified data that may then be executed as part of a filter operation. An attacker can use this vulnerability to inject a malicious "printer". The malicious code is triggered once a user uses this printer to print a document. This has little or no impact if CUPS is not listening on port 631, and the system is not used to print documents (like most servers). An attacker may, however, be able to trigger the print operation remotely. On the local network, this is exploitable via DNS service discovery. A proof of concept exploit has been made available.
  There is no patch right now. Disable and remove cups-browserd (you probably do not need it anyway). Update CUPS as updates become available. Stop UDP traffic on Port 631.
  #CVE_2024_47076 #CVE_2024_47177 #CVE_2024_47175 #CVE_2024_47176 #CUPS #linux #vulnerability #cve
  
  In conversation about 2 months ago permalink
  
  Xenotar repeated this.
- Embed this notice
  Not Simon 🐐 (screaminggoat@infosec.exchange)'s status on Friday, 27-Sep-2024 09:49:16 JST Not Simon 🐐
  in reply to
  Evil Socket: Attacking UNIX Systems via CUPS, Part I
  - CVE-2024-47176 cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.
  - CVE-2024-47076 libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.
  - CVE-2024-47175 libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.
  - CVE-2024-47177 cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.
  cc: @chillybot @Viss @evilsocket @morb @cR0w @Enigma
  In conversation about 2 months ago permalink
  Attachments
  1. Untitled attachment

Public

Conversation

Notices

Feeds