Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security GNU is Not Unix Privacy Linux

Critical Unauthenticated RCE Flaw Impacts All GNU/Linux Systems (cybersecuritynews.com) 153

"Looks like there's a storm brewing, and it's not good news," writes ancient Slashdot reader jd. "Whether or not the bugs are classically security defects or not, this is extremely bad PR for the Linux and Open Source community. It's not clear from the article whether this affects other Open Source projects, such as FreeBSD." From a report: A critical unauthenticated Remote Code Execution (RCE) vulnerability has been discovered, impacting all GNU/Linux systems. As per agreements with developers, the flaw, which has existed for over a decade, will be fully disclosed in less than two weeks. Despite the severity of the issue, no Common Vulnerabilities and Exposures (CVE) identifiers have been assigned yet, although experts suggest there should be at least three to six. Leading Linux distributors such as Canonical and RedHat have confirmed the flaw's severity, rating it 9.9 out of 10. This indicates the potential for catastrophic damage if exploited. However, despite this acknowledgment, no working fix is still available. Developers remain embroiled in debates over whether some aspects of the vulnerability impact security.
This discussion has been archived. No new comments can be posted.

Critical Unauthenticated RCE Flaw Impacts All GNU/Linux Systems

Comments Filter:
  • by schweini ( 607711 ) on Wednesday September 25, 2024 @09:05PM (#64817827)
    This sounds strange - how can something affect ALL systems? The only way to have an RCE is when listening on the network. And the network is usually kinda protected by the firewall (of which there are several, so it can't be that).
    So this would have to be in the network stack? And not even in the NICs driver, but in the core kernel one? And that seems rather strange after so many years.
    • by schweini ( 607711 ) on Wednesday September 25, 2024 @09:18PM (#64817849)
      There's a rumour that it's in CUPS.
      • by gweihir ( 88907 )

        There's a rumour that it's in CUPS.

        That one I threw out years ago. PoS.

      • by dgatwood ( 11270 ) on Wednesday September 25, 2024 @10:41PM (#64818003) Homepage Journal

        There's a rumour that it's in CUPS.

        If so, that probably also means it also affects every version of macOS for 2.5 decades.

      • Re: (Score:3, Informative)

        by Anonymous Coward
        cups-browsed, listens on all interfaces udp:631 on most modern major distros.
        2 weeks ago there is this commit adding additional filtering to reject invalid IPP attributes from the LAN to cups.
        https://github.com/OpenPrinting/cups/commit/96b3bdf010e78880f5764e5032720379aa1116df

        IPP attributes are meta / URIs broadcast from the LAN that may be malformed - this the above commit to filter for attributes better.

        work around is:
        systemctl stop cups-browsed
        systemctl disable cups-browsed
        • Oh really? On my Fedora 39 it is disabled by default:

          [xxxxxxxx ~]$ systemctl status cups-browsed
          cups-browsed.service - Make remote CUPS printers available locally
          Loaded: loaded (/usr/lib/systemd/system/cups-browsed.service; disabled; preset: disabled)
          Is this another one of those over sensationalized tweets or something, I mean it's not even in the kernel... cups is not just on Linux, and it isn't Linux.
          • by gweihir ( 88907 )

            You know, one thing I do after every installation is that I check open ports. If I do not need what is running, it gets killed, no exceptions. I do not need CUPS.

        • Oh you mean that moronic thing that automatically adds second non-working instances of my printer?
          Yes it's already disabled.

          • by gweihir ( 88907 )

            CUPS is one of the worst crappy pieces of software I ever tried to use. Dropped it more than a decade ago and never missed it since.

            • by dknj ( 441802 ) on Thursday September 26, 2024 @09:59AM (#64819073) Journal

              Ah yes, how quickly we forget what printing was like pre-CUPS. You only had /dev/lp0 back then, better hope your parallel printer supported postscript. If you had a fancy USB printer you were shit out of luck, even as the usb stack made strides no one wanted to tackle the monster that was proprietary usb printer drivers. If you had a few hundred bucks to spare you could buy an HP enterprise printer or something with JetDirect compatibility. Maybe you tried to run Solaris 7 faked out by their "wE cAn PrInT tO aNy PrInTeR" lies.

              Enter CUPS. A magic project that got every single printer to work under a single project. Literally not a single other project exists that can do what CUPS does. Yet you have the gall, the audacity to call it a worst crappy piece of software. I just have no words

              • by gweihir ( 88907 )

                I just have no words

                And no insight. Have you ever tried to get CUPS to work right when your specific printer is not preconfigured? Have you ever looked at the insane thing it does on the network? Well, we will see whether the currently announced problem is CUPS. Would not surprise me one bit.

              • by Big Boss ( 7354 )

                It's possible to be the only option and still be shit....

                I don't know that I would say CUPS is shit, but some people think so. I think it's generally good enough, which is why it's pre-installed on just about every distro, other nix-likes, OSX, etc.. Sure, it sucks that printer manufacturers refuse to use a standard driver, but if you skip inkjet, which I argue is more shitty than CUPS, things generally work fine.

                I only buy Brother laser printers right now. They come with network support, postscript, and ju

    • And the network is usually kinda protected by the firewall (of which there are several, so it can't be that).

      You mean like iptables? You know that's basically just an interface to alter how the kernel makes routing decisions, right? There's always a possibility that the vulnerability is in the network stack itself. Say, hypothetically, if there is a bug in the way IP headers are parsed. That code is shared with the BSDs AFAIK, which has been mentioned.

      Though I don't know why they say GNU/Linux unless they mean to imply that some GNU code is affected, and the BSDs don't make any use of that. Either that or whoever

      • by ls671 ( 1122017 )

        I remember one around ~1997-1998 where an ill crafted packet would cause any linux to reboot, maybe it could have been exploited for RCE but I didn't see nor hear any evidence of that back then.

    • It doesn't mean that there's no mitigation available. But the vulnerability will still be there, even if it's behind a firewall.

      It's like saying a report of a technique that can be used to open all car doors can't be true because some cars are in locked garages.

    • by codebase7 ( 9682010 ) on Thursday September 26, 2024 @09:21AM (#64818973)
      This is a premature story at best. There's not even a CVE number issued yet. Seriously /. what the fuck? Stop the fear mongering.
    • by jd ( 1658 )

      LWN has confirmed that it's a vulnerability in CUPS.

  • Oh, please. (Score:5, Interesting)

    by WD ( 96061 ) on Wednesday September 25, 2024 @09:15PM (#64817845)

    The thread that the title comes from is from a Twitter user that later stated about the issue: "And YES: I LOVE hyping the sh1t out of this stuff because apparently sensationalism is the only language that forces these people to fix. "

    As such, every single thing about the topic should be taken with a grain of salt. Starting with systems affected (it's not all GNU/Linux) and also CVSS score (I score it as a 6.3 instead of 9.9). Use your imagination to decide how much of what was posted is based on fact as opposed to fantasy.

    For starters, only systems without an enabled firewall are exploitable. (Note: Ubuntu doesn't enable a firewall by default for reasons I cannot fathom).
    Secondly, the attack requires the victim to take a specific implausible action for the attack to work.

    There's really nothing to see here. Spending your time thinking about any other vulnerability or attack vector would be a much better use of your time.

    • Re:Oh, please. (Score:5, Informative)

      by caseih ( 160668 ) on Wednesday September 25, 2024 @09:29PM (#64817869)

      By default Ubuntu has no services that listen on anything other than localhost. Not even ssh. A firewall would be pointless.

      • This is provably incorrect.

        • Re: Oh, please. (Score:4, Interesting)

          by caseih ( 160668 ) on Wednesday September 25, 2024 @10:19PM (#64817979)

          Please do. Tell me how a Linux install with nothing listening, not even ssh will be hacked remotely.

          • Its state actor level, but both RAM and monitor image can be remotely accessed.
            • Oh shit, I hope we can all get new tinfoil hats!
              • Oh shit, I hope we can all get new tinfoil hats!

                You're gonna need genuine copper foil for this one!

            • by gweihir ( 88907 )

              Bullshit. Cut back on the drugs.

            • "State actor level" sounds a bit like "level 220 chief arch-wizard". But computer security is not magic. Even state actors need real vulnerabilities to do their thing. They may find new vulnerabilities faster than everyone else, but success is not guaranteed. Even for them.

              • by DarkOx ( 621550 )

                I am not sure I agree. Sate actors have a lot of opportunity and freedom to go much further than the vast majority of criminal operators could or likely would. A state actor for example can create a fake identity for someone with legitimate documents and put an agent in there to work an IT job for 8 months before even attempting to deploy their implant.

                For any organization large enough that you don't personally know everyone. I would assume a sufficiently motivated state actor can get on your network if t

              • Do not force me to unleash the bytes of doom and black magick upon you, disbeliever!
                Take "Transvaaltrampeltiertränentrauungstragödie" as a warning.

          • by higuita ( 129722 )

            kernel network/firewall code itself probably

          • If it has a network interface, it is listening, at least at layer 2 (dhcp, arp, ndp, slaac, etc.).

            • At least some of these things can be turned off

              Not to mention that they won't pass routers.

            • If it has a network interface, it is listening, at least at layer 2 (dhcp, arp, ndp, slaac, etc.).

              That's a great list of things not normally blocked by a firewall. What's your point.

        • Even Windows XP, let alone Linux, can safely be put on the Internet without any firewall after stopping all its network listeners. And ensuring that the end user doesn't run any vulnerable clients, of course, but a firewall would hardly help this.

          Of course, if you have enabled the spychip crap in your Intel or AMD CPU (IME/PSP) then you indeed DO need a firewall, for these b*ggers can control your computer EVEN when it seems turned off, and this is not a fantasy.

      • Red Hat is similar, but it ships with firewalld on. One of the reasons I enable firewalling is that it provides a solid front-line defense. Some user ran something that opened a port? Still inaccessible due to the firewall in place. Or you want to allow SSH, but only from your internal subnet. At a previous job, I had a NAS running for a while on an external IP address, and after that time, the NAS wound up forensically examined to see if it was compromised, as a long term test. It was never breached,

    • by gweihir ( 88907 )

      So you have _actual_ information? (Not asking you to prematurely disclose)
      One small question though: By "firewall enabled" do you mean it runs (module loaded or code compiled in) or that it has actual rules in there?

      But what you describe is about what I expected from the grande, somewhat nonsensical announcement.

      I especially like "the attack requires the victim to take a specific implausible action for the attack to work". There are tons of attacks that becomes possible when the victim is willing to do that

      • Re: Oh, please. (Score:5, Informative)

        by WD ( 96061 ) on Wednesday September 25, 2024 @09:45PM (#64817917)

        Yes, I've read the vulnerability report and have reproduced it. You'll get the details when the agreed upon disclose date arrives.

        As for the firewall, just blocking incoming connections it sufficient for protection. On Ubuntu, this should do it: sudo ufw enable

    • Secondly, the attack requires the victim to take a specific implausible action for the attack to work.

      There are a 100-200M Linux machines in the world. Even if a particular specific action is implausible, tens of thousands of them are going to be vulnerable.

      Software engineering at scale means realizing that with a big enough user base, every one of the corner cases that one could normally dismiss is going to actually be realized. Which is not to say that you have to make all of the work, but at least they s

      • by gweihir ( 88907 )

        Possibly. But that does in no way justify an alert of this type. "The story of the boy who cried wolf" is instructive regarding such asshole acts.

  • Systemd component? (Score:5, Informative)

    by Gravis Zero ( 934156 ) on Wednesday September 25, 2024 @09:16PM (#64817847)

    only got patronized because the devs just can't accept that their code is crap

    Systemd component? It sounds like Systemd component.

    • by gweihir ( 88907 )

      That would be nice. Because in that case my Linux servers are not in the "all" systems that are affected.

    • Thankfully, systemd-vulnd isn't in every distro, and isn't even on every system using a distro carrying that cr@p. My Debian (not devuan) systems are free of it, halleluiah.

    • Breaking news: systemd listens for - and grants unfettered root-level terminal access without authentication to - any remote process attempting to connect to poettering-is-an-awesome-hacker.socket.

      Ironically, poettering-is-an-awful-hack.socket also works.

      • by vbdasc ( 146051 )

        Your irony is unwarranted. Systemd carries its own large attack surface, much of it unneeded, and the systemd devs have history in both sloppy programming AND behaving arrogantly when confronted about security or other problems with their code.

        • much of it unneeded

          Unneeded by you. Don't gatekeep what features other people may want to use.

          • init should be small and simple. It should do only one task and do it well. Systemd does not comply with this. There's a huge attack surface in there. Put that on top of the mentality of the systemd developers, and you've got a mix for disaster. Perhaps it has come now.

            • Indeed. Systemd is not an init system. It's a daemon management system (literally in the name). Init can't manage shit. Great when you're running a fixed server on a static network or a computer from the 90s, but no so much fit for purpose anymore.

              You may think IT peaked before the millennium bug, but many of us have other use cases and init isn't it (as evident by the many MANY projects that either exist to expand its functionality or attempt to replace it outright).

              Do one thing and one thing well was one

        • by gweihir ( 88907 )

          Yep. I have thrown systemd out everywhere. Simpler system and zero issues.

      • by Sique ( 173459 )
        But both are connected to the same service, "I don't care about actual necessities, I just want to sing in the choir of haters"d.
    • by ledow ( 319597 )

      All joking aside, I think I would lay money on it being systemd-related.

      That old "huge and difficult-to-understand binary executable running as root trying to do everything, doing it rather poorly" has such a large attack surface area that it would be my first choice.

  • Sounds like FUD (Score:5, Insightful)

    by gweihir ( 88907 ) on Wednesday September 25, 2024 @09:29PM (#64817865)

    Grand claims, no details and "Developers remain embroiled in debates over whether some aspects of the vulnerability impact security". That does sound like somebody wants their 15 minutes of fame, but not like a real problem.

    • by jd ( 1658 )

      Which is why I'm far more concerned about the publicity than the security.

      If corporations believe there's five or six flaws, each warranting a 9.9, it makes very little difference whether they exist.

      • by vbdasc ( 146051 )

        Thankfully, MOST corporations aren't run by idiots.

        • MOST corporations aren't run by idiots.

          Do you have ANY evidence for this statement. IME at least a small majority are, and quite probably a large majority.

          • by msauve ( 701917 )
            >quite probably a large majority.

            You're overlooking the morons, buffoons, imbeciles, and fools.
            • by gweihir ( 88907 )

              Well, if we do a typology of inadequate CEOs, then yes. We also have assholes, sadists, fanatics, authoritarians, and a few others.

        • by gweihir ( 88907 )

          Thankfully, MOST corporations aren't run by idiots.

          That does not seem to match observable reality. The converse seems to be the case.

  • by russotto ( 537200 ) on Wednesday September 25, 2024 @10:00PM (#64817955) Journal

    In Reflections on Trusting Trust [slashdot.org], Ken Thompson describes a hack which worked by modifying the C compiler to do two things

    1) Insert itself into the C compiler whenever the C compiler is compiled

    2) Modify "login" to accept a password of his own choosing (presumably for any account)

    Thus, he need merely substitute his C-compiler-with-exploit for the real one once, and the exploit self-propagates (as long as the C compiler and login don't change enough to not be recognized by the exploit code anyway).

    Somthing which hits all Linux systems seems to me has to be of this nature or something similarly devious.

    • by gweihir ( 88907 )

      Very, very unlikely. Much more likely "all linux systems" is simply a lie by somebody that apparently deeply desires that nobody will listen to them ever again.

    • by vbdasc ( 146051 )

      Well, this seems good in theory. I remember I once theorized about creating vulnerabilities by modifying CPU's microcode. Thankfully, this has about the same chance to really happen (nil).

  • An RCE requires a listening server component. If this proves to be real and not some attention-grabbing hallucination, it might be OpenSSH (portable) or perhaps web servers linked to OpenSSL again. As such, it probably wouldn't affect distros that use alternative TLS libs not forked from OpenSSL or use something besides OpenSSH (as long as it's not Dropbear or something libssh2-based).
    • by jd ( 1658 )

      The bugs don't actually have to exist. If the media and the corporations believe developers are lazy and that there's five or six critical 9.9-warranting defects, that's going to lacerate Linux. Hence my concern more for the reputational damage.

      The truth doesn't matter, CIOs and CTOs aren't interested in truth, they're far more interested in reputation.

      However, if they do exist, the emphasis on the GNU part could indicate a problem in the tool chain for building the kernel, although I'd say OpenSSL and Open

      • by vbdasc ( 146051 )

        Being belligerent is very different from being arrogant and not admitting flaws in your code.

        Linux (kernel) developers very rarely suffer from the latter. And when they do, Linus quickly disciplines them, belligerently.

  • Stinks like FUD (Score:4, Insightful)

    by burni2 ( 1643061 ) on Thursday September 26, 2024 @12:57AM (#64818221)

    The Twitter Post referenced from threadreader is gone - at least for my web-view.

    And here are some directions

    "Devs are still arguing about whether or not some of the issues have a security impact."

    This is bullshit if you can exploit it unauthenticated from the outside and disrupt the kernel in any way, they all would be d'accord - for the basic "Yes there is something"

    "Still no CVE assigned (there should be at least 3, possibly 4, ideally 6)."
    vs.
    "Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago."
    vs.
    "Full disclosure happening in less than 2 weeks (as agreed with devs)."

    Why should there be no CVE when we look at the past even servere problems got them early, and why should it be "disclosed 3 weeks ago"
    where? On Shitter? Why is the Shitter Post gone then?

    "9.9 check screenshot."
    of an entry showing nothing but a 9.9 score I could produce that too.

    Facts or shut up "evil socket puppy" !

    • by gweihir ( 88907 )

      Indeed. Sounds to me somebody with a really big ego went off the rails. This person probably does not understand that all this will do is make a lot of people quite angry at them and that they will probably not be listened to anymore in the future.

  • However, despite this acknowledgment, no working fix is still available.

    ...killed my cocker spaniel. I demand retribution.

    As to the RCE... will wait and see... have no mission critical *nix anywhere near prod but this has implications for pretty much every cloud vendor out there...

  • Re: "... no working fix is still available." - That's not what "still" means. That would imply the fix IS available. I think they meant to say, "...no working fix is available yet." as in, may be at some point in the future but it's getting late.
    • by pz ( 113803 )

      Re: "... no working fix is still available." - That's not what "still" means. That would imply the fix IS available. I think they meant to say, "...no working fix is available yet." as in, may be at some point in the future but it's getting late.

      That odd English usage, and the melodramatic hype, makes it sound like the writer could be from a certain southern European country that my parents were from, and everyone loves to visit in the summer.

    • They might mean "the vulnerability is understood but still no fix is available."

      It's not the best usage.

  • Ok. So it affects ALL Linux systems.

    When I read between the lines of the word "all", 99% of the time it means Linux distributions running systemd, with the rest being ignored for some weird reason.

  • Someone please return Steve Balmer's chair to him, he's lost without it. /s

Time is the most valuable thing a man can spend. -- Theophrastus

Working...