search

pop-os / pop

A project for managing all Pop!_OS sources
https://system76.com/pop
2.44k stars 87 forks source link

CUPS Remote Execution Exploit being used on PopOS System #3384

Open MS07112 opened 16 hours ago

MS07112 commented 16 hours ago

Distribution (run cat /etc/os-release):

Related Application and/or Package Version (run apt policy $PACKAGE NAME):

Issue/Bug Description: I recently switched over to PopOS on my desktop using the latest version as of last month. When I tried to reboot earlier today I noticed that the computer was hanging with a light grey screen instead of restarting. I hit the escape key to reveal what services were being shut down and there was a hanging process that the computer was waiting to timeout. It said it was a CUPS Remote Device that was still running.

I do not have any remote printers or other devices running, nor have I ever set them up. The whitehat that originally discovered the CUPS remote code execution exploit a few weeks ago said that the remote execution was done through masquerading as a Remote CUPS Device. https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

I ran a full system upgrade and update before rebooting. So far there aren't any remote devices causing the computer to hang while trying to reboot. Hopefully that fixes it for now since Ubuntu has implemented the fix for Jammy (the version/repo that my version of PopOS uses). https://ubuntu.com/blog/cups-remote-code-execution-vulnerability-fix-available

While the fix exists: please notify all users of PopOS of the real threat that exists of bad actors already implementing the CVE-2024-47176 exploit.

Steps to reproduce (if you know): Run an older version of PopOS and somehow get targeted.

Expected behavior:

Other Notes:

MS07112 commented 16 hours ago

I ran journalctl -b-1 | grep remote and this is the output:

Oct 03 00:22:05 pop-os systemd[1]: Started Make remote CUPS printers available locally.
Oct 03 00:22:12 pop-os freshclam[6269]: Thu Oct  3 00:22:12 2024 -> daily database available for download (remote version: 27415)
Oct 03 00:22:33 pop-os freshclam[6269]: Thu Oct  3 00:22:33 2024 -> main database available for download (remote version: 62)
Oct 03 00:24:27 pop-os freshclam[6269]: Thu Oct  3 00:24:27 2024 -> bytecode database available for download (remote version: 335)
Oct 03 00:37:38 pop-os systemd[1]: Stopping Make remote CUPS printers available locally...
Oct 03 00:37:38 pop-os systemd[1]: Stopped Make remote CUPS printers available locally.
Oct 03 00:37:39 pop-os systemd[1]: Started Make remote CUPS printers available locally.
Oct 03 00:37:46 pop-os systemd[1]: Stopping Make remote CUPS printers available locally...
Oct 03 00:37:46 pop-os systemd[1]: Stopped Make remote CUPS printers available locally.
Oct 03 00:37:46 pop-os gdm3[2643]: Gdm: Failed to list cached users: GDBus.Error:org.freedesktop.DBus.Error.NameHasNoOwner: Could not activate remote peer: activation request failed: a concurrent deactivation request is already in progress.
Oct 03 00:37:53 pop-os NetworkManager[1130]: <warn>  [1727930273.2073] dispatcher: (9) failed: Could not activate remote peer: activation request failed: a concurrent deactivation request is already in progress.

I don't know what the last two lines are reference to but that's also a possible concern.