Terrible System Design Wherein Servers Are Expected to Have Printers
Wait, what???
"The loss of platform-independent zero-trust solutions of the 80s and 90s and their replacement with poorly made, platform specific, vendor-locked boondoggles like VPNs," an associate explains, resulted in poorer security. It's why the press is happy to blame "Linux" for some bugs that let people out there on the Net/Web do things to your server if it's connected to some physical printer connected to the outside world (it's bad practice, a bad idea, and very seldom done).
This topic seems relevant because we found around 25 links about it so far. "You're probably not vulnerable to the CUPS CVE," one blogger pointed out early on. "When I saw news of the upcoming 9.9 CVE, I was thinking it was something significant, like a buffer overflow in the glibc DNS client, a ping of death, or something actually exciting. Nope, it's CUPS, the printing stack. The most vulnerable component is cups-browsed, the component that enables printer discovery. CUPS is not typically installed on server systems, but cloud expert Corey Quinn claims his Ubuntu EC2 box has it without his knowledge. I have checked my Ubuntu systems and have not been able to find CUPS on them."
"Unless your servers can print for some reason," the blogger said, there's nothing to worry about.
On my main machine I hardly install anything new. It very rarely needs anything new. When I wanted to dabble in Sakura last week I just installed it on a "play box". Similarly, only one machine in our home (we have almost 10) is connected to a printer and it's not in any way accessible to the outside world. The printer has a USB port, not an IP address (apparently this became fashionable for mass storage devices), it's connected to a PC on the LAN, and it's definitely not a server.
How did we end up panicking over printing systems (from Apple) on a GNU/Linux server inside a server room? What use case is there for sending a (printing) job from a server to some printer somewhere? Inane? Insane? Theoretic threat blown out of proportion? Has any known system been compromised this way? █