Bonum Certa Men Certa

Terrible System Design Wherein Servers Are Expected to Have Printers

posted by Roy Schestowitz on Sep 29, 2024

Old Epson AcuLaser C2800 Printer

Wait, what???

"The loss of platform-independent zero-trust solutions of the 80s and 90s and their replacement with poorly made, platform specific, vendor-locked boondoggles like VPNs," an associate explains, resulted in poorer security. It's why the press is happy to blame "Linux" for some bugs that let people out there on the Net/Web do things to your server if it's connected to some physical printer connected to the outside world (it's bad practice, a bad idea, and very seldom done).

This topic seems relevant because we found around 25 links about it so far. "You're probably not vulnerable to the CUPS CVE," one blogger pointed out early on. "When I saw news of the upcoming 9.9 CVE, I was thinking it was something significant, like a buffer overflow in the glibc DNS client, a ping of death, or something actually exciting. Nope, it's CUPS, the printing stack. The most vulnerable component is cups-browsed, the component that enables printer discovery. CUPS is not typically installed on server systems, but cloud expert Corey Quinn claims his Ubuntu EC2 box has it without his knowledge. I have checked my Ubuntu systems and have not been able to find CUPS on them."

"Unless your servers can print for some reason," the blogger said, there's nothing to worry about.

On my main machine I hardly install anything new. It very rarely needs anything new. When I wanted to dabble in Sakura last week I just installed it on a "play box". Similarly, only one machine in our home (we have almost 10) is connected to a printer and it's not in any way accessible to the outside world. The printer has a USB port, not an IP address (apparently this became fashionable for mass storage devices), it's connected to a PC on the LAN, and it's definitely not a server.

How did we end up panicking over printing systems (from Apple) on a GNU/Linux server inside a server room? What use case is there for sending a (printing) job from a server to some printer somewhere? Inane? Insane? Theoretic threat blown out of proportion? Has any known system been compromised this way?

Other Recent Techrights' Posts

Julian Assange on How to Assess the Impact of Publications
Julian Assange will give a public talk in a couple of days
 
Flaws Like CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177
When modularity is abandoned and topology is absent (your server can present a printing interface to the whole world)
Terrible System Design Wherein Servers Are Expected to Have Printers
Wait, what???
The Web is Large, But It Stopped Growing, It's Just Consolidating (Few Giant Companies Control the Chessboard)
it doesn't look like the Web is "booming" anymore
Links 29/09/2024: Newsom Wants More Spying Inside Cars, Ayatollah Ali Khamenei Goes Into Hiding
Links for the day
Links 29/09/2024: Locked Out, 'Smart' Cars, and ROOPHLOCH
Links for the day
Links 29/09/2024: Volkswagen Crisis, IBM Failing at "Hey Hi" (AI) Hype According to Leaks
Links for the day
This Week Julian Assange to Publicly Speak for First Time in Over Half a Decade
some media coverage and official pages
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, September 28, 2024
IRC logs for Saturday, September 28, 2024
Linus Torvalds, His Employers, and Critics of His Employers Can Agree That Rust in Linux is a Failed Experiment
What we published 2 years ago (2022-09-22) leaves us vindicated
Links 28/09/2024: Stagnation of Journalism and More Suppressions in HK (Now China)
Links for the day
Gemini Links 28/09/2024: ROOPHLOCH and smolspace
Links for the day
Linux remains a safer choice
Microsoft worries
Links 28/09/2024: Microsoft Lays Off Hundreds of California Workers, Windows Recall Infuriates Many
Links for the day
Demise of Desktops/Laptops in the British Market
The British market is getting overrun by mobile phones (up more than 10% in the past year)
Gemini Links 28/09/2024: Misfin and Beepy
Links for the day
[Meme] 25+ Years After Winamp (WINAMP.EXE)
Winamp is pretty much irrelevant because of the solid replacements for it that are Free software
Winamp Was Always Windows and Proprietary, Now Its Code is Also Controlled by Microsoft
It's not "free" or "Open Source"
"WINAMP" Reminds Us That Choosing GitHub is Sign of Failing to Understand or Not Intending to Respect Freedom (Usually a Platform for Lousy Openwashing Stunts)
GitHub is a "cancer" - more so than WP Engine ever was
Fear, Uncertainty, and Doubt (FUD) Barometer
Fear-mongering/dramatisation regarding CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177 had very small impact
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, September 27, 2024
IRC logs for Friday, September 27, 2024
Links 27/09/2024: Kangaroo Courts, Invalidating More Software Patents
Links for the day
Gemini Links 27/09/2024: Project Skydrop, PubSub
Links for the day
"Essential Server Security Security" at linuxsecurity.com is SEO SPAM (the Usual)
Another day passes, more slop and SPAM
Links 27/09/2024: Microsoft Layoffs Again, Hey Hi (AI) Disappointments, and Ampere at Risk
Links for the day
Gemini Links 27/09/2024: Reward Work, Smolnet, and More
Links for the day
China is Abandoning Windows Already (But Web Surveys Won't Show That)
China has its own operating systems (which Web surveys cannot correctly recognise)
Chinese Whispers About "Linux" (Apple Really)
CUPS is Apple
[Meme] A Cup of Apple
Turns out it's some Apple thing
Links 27/09/2024: China Tensions Growing, JUVE Patent Posting SPAM Again (the Real Business Model)
Links for the day
Maintenance and Plans for Next Week
a headsup
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, September 26, 2024
IRC logs for Thursday, September 26, 2024
More Microsoft Layoffs, Second Very Large Wave This Month
Will OpenAI collapse soon (exodus of executives continues)?
Gemini Links 27/09/2024: Run Results, Primitive Pics
Links for the day