NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Disable Unused Services (CUPS for instance)?
Is there any way to turn off unused daemons in the ReadyNAS Duo? My IT security department has flagged my NAS as having a vulnerability in CUPS. That's fine, I don't use it as a print server, so I would like to turn off the service but I see no way of doing that through the web based interface.
Is there a way of disabling it if I log in through a ssh shell ?
I have 4.1.8 installed, and apparently this still contains the vulnerability.
Is there a way of disabling it if I log in through a ssh shell ?
I have 4.1.8 installed, and apparently this still contains the vulnerability.
6 Replies
Replies have been turned off for this discussion
- What vuln did they find? Many of those scanners key off a version number, not finding an actual vulnerability. We backport patches into Apache,Samba,ProFTP, so the issues aren't really there.
$ grep -B15 -n /usr/sbin/cupsd /etc/rc2.d/S01readynas_startup
388-# don't start cupsd for rackmount
389-rackmount="1500 2100 3100 3200 4200"
390-is_rackmount=0
391-for model in $rackmount
392-do
393- if grep "model:" /proc/sys/dev/boot/info | grep -q $model ; then
394- is_rackmount=1
395- break
396- fi
397-done
398-if [ $is_rackmount -eq 1 ]; then
399- if grep -q "load printers = 1" /etc/samba/smb.conf ; then
400- sed -i 's/load printers = 1/load printers = 0/' /etc/samba/smb.conf
401- fi
402-else
403: start-stop-daemon -q -S -mp /var/run/cupsd.pid -x /usr/sbin/cupsd- I will let you know what vuln they're seeing when I hear back from them.
I did a quick fancy find looking for cups calls: find /etc/init.d -type f | xargs grep -i cup
and the only references are in cupsys and rc3 (and powerdown which just deletes entries in the spool)
so it looks like if I just comment out the startup line in rc3 that would probably keep cups from being loaded on startup.
I assume the rc3 is updated when the firmware is (or is it not?) so I would just have to redo that comment every time I upgrade the firmware but that isn't any real hardship. - Here is what the IT scan claims is vulnerable:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1368
"Overview: Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing negative arguments to be fed into memcpy() calls via HTTP requests with (1) a negative Content-Length value or (2) a negative length in a chunked transfer encoding." - My NAS doesn't have: /etc/rc2.d/S01readynas_startup
but that line is in /etc/init.d/rc3
so I just commented out where cups is started (around line 446):
# start-stop-daemon --quiet --start --background --exec /usr/sbin/cupsd
I think that should do it, thanks! - Ah yes, I was looking at the x86 firmware, not the Sparc firmware, which is a bit different.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
