Stop enabling "Standard printing services" by default!

fluxcondensator

Title says all. For what i know CUPS on linux is a good way attackers can infiltrate your systems. So i am just projecting it to this setting. Your phone should not try to find printers by default.

DeletedUser237

fluxcondensator For what i know CUPS on linux is a good way attackers can infiltrate your systems

And you know that from where? And how do you think this would work? I am genuinely curious, how do you think Bob the hacker would 'infiltrate' Megan's Linux desktop through cups?

GrapheneOS

fluxcondensator Android does not use CUPS and doesn't passively scan for printers. The built-in print service only supports simple standard IPP, mDNS, etc. It's low attack surface and implemented mostly in a memory safe language (Java) for the baseline printing discovery and usage. Printing documents is the high attack surface part, not finding and using IPP printers. It's nothing like CUPS and doesn't have a bunch of complex and legacy drivers. Android delegates dealing with anything other than standard IPP support via users installed vendor print service apps.

fluxcondensator

DeletedUser237
NetRunner88
pxlkng
secrec

It should not scan for printers by default either way... I am just saying its a pain in the a when u must disable it in every profile and on every install.

NetRunner88

https://www.theregister.com/2024/09/26/cups_linux_rce_disclosed/

https://access.redhat.com/security/cve/CVE-2024-47175

DeletedUser237

NetRunner88 overblown by a dude who felt his approach is not take seriously. Plus it's not like it can be exploited unless you go out of your way to expose your PC to internet. It's not like it's doing a internet wide broadcast, so yeah neither is valid as an "entry point" to exfiltrate anything.

pxlkng

I don't think Android uses CUPS.

DeletedUser237

pxlkng it was not even in cups directly but in two libs used, including systemd browser for cups. It really is not related to android and even for Linux it was heavily overblown.

raccoondad

pxlkng no, it uses MUGS /joke

secrec

To exploit this across the internet or LAN, a miscreant needs to reach your CUPS service on UDP port 631. Hopefully none of you have that facing the public internet. The miscreant also has to wait for you to start a print job.
If port 631 isn't directly reachable, an attacker may be able to spoof zeroconf, mDNS, or DNS-SD advertisements to achieve exploitation on a LAN. Details of that path will be disclosed later, we're promised.

In other words, its the SERVER side where the vulnerability lies. Even if Android used CUPS, which it DOES NOT, it certainly doesn't act in the role of a print server.

raccoondad

fluxcondensator "It should not scan for printers by default either way", why? You can't just say 'projecting', that's not a valid reason, GOS isn't going to make changes based on that.

de0u

fluxcondensator It should not scan for printers by default either way.

When does it scan?

secrec

I believe it only scans when you actually go try to print.

fluxcondensator

secrec Well it does that when u open the setting to deactivate it. It shouldn't do that imo.

fluxcondensator

GrapheneOS Thank you for the superb answer. You may close this thread as solved.

schweizer

I do find it very convenient that it is so easy to print within GOS on print servers!