Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CUPS Remote Execution Exploit being used on PopOS System #3384

Open
MS07112 opened this issue Oct 3, 2024 · 1 comment
Open

CUPS Remote Execution Exploit being used on PopOS System #3384

MS07112 opened this issue Oct 3, 2024 · 1 comment

Comments

@MS07112
Copy link

MS07112 commented Oct 3, 2024
edited
Loading

Distribution (run cat /etc/os-release):

Related Application and/or Package Version (run apt policy $PACKAGE NAME):

Issue/Bug Description:
I recently switched over to PopOS on my desktop using the latest version as of last month. When I tried to reboot earlier today I noticed that the computer was hanging with a light grey screen instead of restarting. I hit the escape key to reveal what services were being shut down and there was a hanging process that the computer was waiting to timeout. It said it was a CUPS Remote Device that was still running.

I do not have any remote printers or other devices running, nor have I ever set them up. The whitehat that originally discovered the CUPS remote code execution exploit a few weeks ago said that the remote execution was done through masquerading as a Remote CUPS Device.
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

I ran a full system upgrade and update before rebooting. So far there aren't any remote devices causing the computer to hang while trying to reboot. Hopefully that fixes it for now since Ubuntu has implemented the fix for Jammy (the version/repo that my version of PopOS uses).
https://ubuntu.com/blog/cups-remote-code-execution-vulnerability-fix-available

While the fix exists: please notify all users of PopOS of the real threat that exists of bad actors already implementing the CVE-2024-47176 exploit.

Steps to reproduce (if you know):
Run an older version of PopOS and somehow get targeted.

Expected behavior:

Other Notes:
@MS07112
Copy link
Author

MS07112 commented Oct 3, 2024

I ran journalctl -b-1 | grep remote and this is the output:

Oct 03 00:22:05 pop-os systemd[1]: Started Make remote CUPS printers available locally.
Oct 03 00:22:12 pop-os freshclam[6269]: Thu Oct  3 00:22:12 2024 -> daily database available for download (remote version: 27415)
Oct 03 00:22:33 pop-os freshclam[6269]: Thu Oct  3 00:22:33 2024 -> main database available for download (remote version: 62)
Oct 03 00:24:27 pop-os freshclam[6269]: Thu Oct  3 00:24:27 2024 -> bytecode database available for download (remote version: 335)
Oct 03 00:37:38 pop-os systemd[1]: Stopping Make remote CUPS printers available locally...
Oct 03 00:37:38 pop-os systemd[1]: Stopped Make remote CUPS printers available locally.
Oct 03 00:37:39 pop-os systemd[1]: Started Make remote CUPS printers available locally.
Oct 03 00:37:46 pop-os systemd[1]: Stopping Make remote CUPS printers available locally...
Oct 03 00:37:46 pop-os systemd[1]: Stopped Make remote CUPS printers available locally.
Oct 03 00:37:46 pop-os gdm3[2643]: Gdm: Failed to list cached users: GDBus.Error:org.freedesktop.DBus.Error.NameHasNoOwner: Could not activate remote peer: activation request failed: a concurrent deactivation request is already in progress.
Oct 03 00:37:53 pop-os NetworkManager[1130]: <warn>  [1727930273.2073] dispatcher: (9) failed: Could not activate remote peer: activation request failed: a concurrent deactivation request is already in progress.

I don't know what the last two lines are reference to but that's also a possible concern.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MS07112