That super-wazoo Linux 0day dropped.
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I
Author claims an attacker can send a specially-crafted UDP packet to port 631, or send mDNS traffic on a LAN, to get RCE.
**THERE DOES NOT APPEAR TO BE A FIX**, meaning that, at least on the distributions I have checked, **UPDATING YOUR PACKAGES WILL NOT PATCH THIS VULNERABILITY.**
You should remove CUPS if you do not print from a given host, or at least ensure your firewall is only as permissive as it needs to be to enable the services you mean to host.
The author goes on to share their experience trying to report the bug (it's near the bottom of the report), which included that basically being treated like shit for 22 days before finally saying "fuck this" and dropping the vuln.
When vendors behave this way, public disclosure is the only option, and it needs to happen sooner rather than later. Cooperation and embargoes are for vendors who treat researchers right (so, not gargron :P)
My personal opinion, is to start with 14 days. Feel free to give the vendor a bit more time if they're working with you or have given you a good reason, and feel free to drop sooner if you have evidence of active exploitation in the wild.
And there's no reason to pussy-foot around either. "I reported this to you on May 1, you're treating me like shit, I will be publicly disclosing on May 14. Have a great day!"
If this happens enough, vendors will start taking this shit seriously.
Now um... I'm gonna go actually *read* that writeup instead of skim it.
oh btw.
The song and dance with responsible disclosure, the red tape, and the inter-personal politics games that now pervade *most* software projects now... It's absolutely infuriating to those with the best of intentions.
And if you don't play those games, you're shunned by the public-facing, sanitized, corporate cybersecurity world.
There's a reason that people with the most skill tend to skew blackhat.
+bonifartius 𒂼𒄄
