Hello,
On Sun, Apr 13, 2025 at 11:38:01AM -0400, Stefan Monnier wrote:
Why do you need cups ports open to print?
You presumably do not, in the general sense.
On this machine, I have this:
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 10711/cupsd
tcp6 0 0 ::1:631 :::* LISTEN 10711/cupsd
Which indirectly implies that you can only attack it from localhost.
I understand you need the cups port to be open on the side of the
printer (or print-server), but not on the side of the machine that sends
the print job.
Yes. Previous releases of cupsd had a broadcast UDP port open to the
world, but that might be old. It was by the cups-browsed process on port
631.
If it was open and not firewalled, then you would have been attackable
by
https://nvd.nist.gov/vuln/detail/cve-2024-47176
On this machine, the package cups-browsed is installed, but it is
disabled and thus not started by systemd. Don't know if this is a
default setting?
cups-browsed is only required if you want to see the Bonjour available
printers on your network, or if you want to make your local printers
available through Bonjour (a broadcast discovery protocol).
It might be that cups-browsed IS installed by default and open to
the world on Debian installations?
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)