On Fri, Sep 27, 2024 at 09:41:29AM -0400, George via tor-relays wrote:
There are some very significant recent CVEs out for CUPS, the unix printing system.
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cups [...] Needless to say, a CUPS server listening on 631/tcp or 631/udp while providing Tor access is a bad idea.
George and I took the opportunity to scan relays and bridges to see if they have this vulnerable cups-browsed service running. We found 14 relay IP addresses that did, and 4 bridge IP addresses. This is a pretty good rate overall!
(I had been expecting to find more bridges, because they're more likely to be at home and people might be running them from their stock Ubuntu desktop install or the like. But we found very few, and maybe that is because at many homes everything is NATed/firewalled by default.)
12 of the 18 had proper contactinfo and I emailed them. One bounced, one replied and fixed it, and the others haven't replied yet.
There is a fine policy question here, which is "ok so what now? Do we leave them in place or bump them out of the network?"
I figure I'll wait a week or so and scan these 18 again. But I fear that the package "fix" will just correct a buffer overflow or something and it will leave the "they listen to the whole internet and add any printers that the internet sends them" behavior intact (because one is a bug, the other is a feature), so my scan won't actually be able to tell if they updated. Fortunately, which next step we choose doesn't matter much here, because the numbers we're talking about are so small.
There is a larger conversation we could have, around whether we should make vulnerability scanning of relays a more common or automated or scaled thing. I like the idea in theory but in practice I don't think it should be a high priority compared to our other network health priorities.
I'm tracking details and next steps about the cups issue on the gitlab ticket, https://gitlab.torproject.org/tpo/network-health/analysis/-/issues/83
--Roger