Recent searches
Search options
@governa@fosstodon.org#Linux OpenPrinting #CUPS vulnerabilities
Use the following command to determine if cups-browsed is running:
$ sudo systemctl status cups-browsed
If the result includes "Active: inactive (dead)" then the exploit chain is halted and the system is not vulnerable
If the result is "running" or "enabled" then the system may be vulnerable.
Mitigation is simple, especially in any environment where printing is not needed.
$ sudo systemctl stop cups-browsed
$ sudo systemctl disable cups-browsed
@governa And to kill two birds with one stone:
sudo systemctl disable --now cups-browsed
sudo is not needed for status, BTW.
EDIT: while I have CUPS installed on my Arch system, cups-browsed is not present.
curious.
@governa Still kinda new to Linux. I'm thinking that a system at home behind a firewall isn't at risk. My router is well configured and the firmware is current. Do I need to disable cups on my laptop?
@tzudad you can restrict access to the CUPS service by configuring the firewall to block incoming connections to port 631 from untrusted sources. This can be done using the following command:
sudo ufw deny from any to any port 631
This will help mitigate the risk of exploitation until the CUPS service can be updated.
@governa you might also want to mask the unit so it can't get accidentally pulled in by something else as a dependency