Email or username:

Password:

Forgot your password?
Brodie Robertson

The biggest Linux CVE of the century was published nearly 2 weeks early and would you look at that, it's not the biggest Linux CVE of the century

15 comments
jenbanim

@BrodieOnLinux mrw 9.9 CVE but it relies on running CUPS with an exposed UDP port 631

Brodie Robertson

@jenbanim It's a really bad CVE for CUPS but this dude was hyping it up like it was the 2nd coming of xz utils, this is a problem for desktop Linux systems that use CUPS

jenbanim

@BrodieOnLinux Yeah it's a serious CVE, but the way he was talking I was expecting another heartbleed. My anxiety was through the roof right before the disclosure

TheFrenchGhosty

@BrodieOnLinux @jenbanim I mean, most (nearly all) linux desktop run cups so...

mort

@BrodieOnLinux @jenbanim To be clear, the security researcher did not have anything to do with the score of 9.9. He hyped it up to be a bad vulnerability sure (which it was), but it's the 9.9 score that really got people concerned.

He's getting unfairly dogpiled IMO, and it's unfortunate to see you joining in on that.

TheFrenchGhosty

@jenbanim @BrodieOnLinux That's it? There was supposed to be 3-6 CVE rated 9.9 in the end it's just one and just cups?

OldManToast

@BrodieOnLinux so no global infrastructure collapse? I thought that this was a "Linux figureheads will pay the price for their arrogance" type of thing?

FreeLikeGNU

@BrodieOnLinux even though the ends do not justify the means (calling the severity a 9.9) we are all a little safer because someone found this exploit and reported it. Margaritelli owned up to the misclassification as well according to El Reg:
'Margaritelli said he thinks 9.9 is too high, too.
"Impact-wise I wouldn’t classify it as a 9.9, but then again, what the hell do I know?" he wrote.'
theregister.com/2024/09/26/cup

Pete Wright
@BrodieOnLinux and it's not even a linux only CVE right? 🫠
Clark W. Griswold #resist

@BrodieOnLinux I believe the erudite sophisticated expression for this is a “damp squib”

Till Kamppeter

@BrodieOnLinux What is nice from the reporter of the vulnerability is that they investigated deeply and reported in detail, but they overhyped it, with the 9.9 grade and making pressure against us from #OpenPrinting.

In addition, there was the leak which forced us to disclose quickly, before we had a complete set of fixes (but already enough to prevent the described exploit), perhaps cause by the post on X by the reporter, which stayed only visible for short time ...

#CUPS

elly
@BrodieOnLinux When I first heard about it, I thought "sounds like bullshit".

When liblzma or regresshion happened, we knew exactly *what* was affected and how to roll mitigations before the official patch.

Here the author went "OMG THE BIGGEST CVE EVER DISCOVERED IN LINUX" without providing any details, essentially fearmongering. To put it bluntly, childish and irresponsible.

In the end the vulnerability was in CUPS (completely separate project from Linux, also used by Apple on macOS), and relied on port 631 being open.

Not only most home users don't have printers anymore, most RHEL-like distros like Rocky/Alma or Fedora block it by default in firewalld.

Therefore, you can:
- Change CUPS settings to disable listening on that port
- Block the port on firewall, use localhost:631 or use SSH as SOCKS proxy on remote machine (i.e print server in the office)
- Simply disable CUPS if you don't actively need it, you can start the service when you need to print something and stop it afterwards

Actual Linux vulnerability would be something related to netfilter, bpf and so on. This is honestly just a joke (the way it was described and disclosed).
@BrodieOnLinux When I first heard about it, I thought "sounds like bullshit".

When liblzma or regresshion happened, we knew exactly *what* was affected and how to roll mitigations before the official patch.
SPdeValk 🐘️ ☑️

@BrodieOnLinux why would anyone not run a firewall on any desktop -> block all incoming, allow all outgoing (except 443 UDP, which is just evil)

Go Up