Remote code execution exploit for CUPS printing service puts Linux desktops at risk

The problem is that since this service binds to 0.0.0.0, which on Linux indicates all IP addresses and interfaces, it also discovers printers over the internet if the port is not blocked in the system firewall. How big is this problem? Margaritelli scanned the internet for a couple of weeks for devices that listened on UDP 631 and found hundreds of thousands with peaks of 200-300K concurrent devices.

While there are likely hundreds of millions of Linux devices on the internet, that number might not seem high, but it’s certainly big enough for a very powerful botnet if they were to be compromised. Also, as attackers have proven time and time ago, getting a foothold inside a network is not that hard, and from there this issue can potentially be exploited for lateral movement.

“Well it turns out that while you could configure who can and who can’t connect by editing the /etc/cups/cups-browsed.conf configuration file… the default configuration file, on pretty much any system, is entirely commented out and simply allows anyone,” the researcher said.