View Issue Details

IDProjectCategoryView StatusLast Update
0003094Kali LinuxGeneral Bugpublic2017-03-19 13:13
Reporterspm2011 Assigned Tomuts  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionno change required 
Product Version2016.1 
Summary0003094: Kali Tries to Connect to 8610/udp and 8612/udp on Virtual Host-Only Network
Description

Running Kali 2016.1 from the full live ISO in a VirtualBox VM with a vboxnet0 host-only network adapter connected and enabled results in connection attempts to ports 8610/udp and 8612/udp on the host machine, which show up in the host firewall logs if inbound logging is enabled.

These ports are registered as being associated with Canon MFNP Service , suggesting that the printer configuration in Kali may be constantly attempting to connect to a Canon printer on the local network even if there isn't a printer present or configured.

Steps To Reproduce
  1. Enable firewall with inbound logging on a Linux host.
  2. Set up a VirtualBox VM on the Linux host, create and enable the vboxnet0 host-only network adapter.
  3. Boot into the VM from the Kali 2016.1 ISO (either i386 or x64)
  4. Around the time the Kali desktop initializes , check firewall logs for inbound connection attempts from the VM to host ports 8612 and 8610.

Logs will display something similar to:
[UFW BLOCK] IN=vboxnet0 OUT= MAC=[MACADDR] SRC=[IPv6] DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=64 TC=0 HOPLIMIT=1 FLOWLBL=749660 PROTO=UDP SPT=8612 DPT=8612 LEN=24

Additional Information

The connection attempts occur right around the time the desktop initializes and sometimes intermittently after that.

Reproduced on two different hosts with VirtualBox 4.3 and 5.0 , and both Kali i386 and x64. Not reproducible in other virtualized Linux distros with the same VM configuration.

Activities

spm2011

spm2011

2016-03-22 01:33

reporter   ~0005004

Upon further investigation, it looks like this occurs upstream in Debian and Ubuntu.

I started getting similar FW alerts on my Ubuntu machine , e.g. [UFW BLOCK] IN=wlan0 OUT= MAC={MACADDR} SRC={Local Network IP} DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=12479 PROTO=UDP SPT=61378 DPT=8612 LEN=24

It is probably caused by a printer service or driver constantly looking for and trying to connect to a printer at port 8612 on the all hosts multicast address 224.0.0.1 (or the IPv6 equivalent ff02:0000:0000:0000:0000:0000:0000:0001).

I don't know enough about networking and how printer services work in Linux to know if this constitutes a bug or not, but the default behavior certainly generates a lot of unwanted noise in a firewall configuration.

tuxbash1

tuxbash1

2017-03-03 23:27

reporter   ~0006465

Hi spim2011,

I have a similar issue on a full install of Kali, I use a lot of open networks so a very tight firewall etc is a must.

What brought this issue to my attention was the fact I had random arp entries every now and then in my arp table, with blocked packets, I seen in the logs some of theses entries and the protocols used, but then I seen new arp entries without any logs, and no blocked packets, I knew my machine was somehow making contact first as I have configued an implicit deny setup, so I set up logging all outgoing packets to local network, and I was surprised to what I found.

I have local subnet blocked on my machine for any outgoing packets to them except for default gateway, I also have logging enabled if my machine attempts to connect to any local addresses (good also against some dns rebinding attacks) I also have logging enabled on incoming packets as mentioned earlier.

My findings are for outgoing:

Computername kernel: [Logs-of-outgoing-packets-local]IN= OUT=wlan0 SRC=192.168.90.45 DST=192.168.91.255 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=7742 DF PROTO=UDP SPT=8612 DPT=8610 LEN=24

Then at the same time this for incoming:

Computername kernel: [Logs-of-incoming-packets]IN=wlan0 OUT= MAC= SRC=192.168.90.45 DST=255.255.255.255 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=27914 DF PROTO=UDP SPT=53177 DPT=1124 LEN=45

And here is the strangest part that I cannot figure out:

It only happens when you plug in a storage USB flash drive and when you plug it
back out, tried different USBS too same result!!!

spm2011

spm2011

2017-03-05 20:33

reporter   ~0006466

Yea, this is really odd.

I'm seeing the same network activity in Debian and Ubuntu so I think this is upstream somewhere and not limited to Kali. I'm going to try to hunt down what program is doing the communication and report a bug upstream.

This bug here can probably be closed.

tuxbash1

tuxbash1

2017-03-06 22:30

reporter   ~0006467

I have also noticed this happens when plugging in and out any USB device not just USB storage, I think the packets are to find a printer on the Network automatically its sending the packets to the broadcast address on the network!!! at this stage this is my best possible guess, I even disabled gsd-printer but got the same results!!!

I've crawled through all the logs on the system , nothing wired shows up, all USB devices are detected and listed correctly, there as to be something within kernel code causing this.

spm2011

spm2011

2017-03-07 00:08

reporter   ~0006468

Hi tuxbash1,

So I've done some research, and it seems that this is an issue with the cups-browsed service being way too noisy and sending multicast requests at high rates and when any USB devices are plugged in to the system (as you have stated).

Google "udp 8612", there are lots of reports of this behaviour on different forums and sites:
https://twitter.com/gertvdijk/status/621790755758178304
https://askubuntu.com/questions/867739/what-is-this-traffic/867786

https://jehurst.wordpress.com/2016/01/22/small-victories/ recommends disabling the cups-browsed service to stop the requests:
systemctl stop cups-browsed.service
systemctl disable cups-browsed.service

@tuxbash1 can you check which version of cups-browsed you have?
I'd like to report a bug but I want to know what versions are affected so I have a better idea of where to report it. I know that version 1.8.3-2ubuntu3.1 and previous have this issue but it isn't just limited to Ubuntu obviously.

Thanks,

tuxbash1

tuxbash1

2017-03-07 22:24

reporter   ~0006481

Yep well spotted it looks like the most likely culprit.

The cups client verison is (2.2.1-8) and cups-pk-helper (0.2.6-1)

I cannot disbale cups-browsed.service, as its not loaded, this is what I get >

Unit cups-browsed.service not loaded

Apparently this behaviour is the norm for cups even though its annoying so I am not sure its a bug but more of an annoying feature.

https://askubuntu.com/questions/345083/how-do-i-disable-automatic-remote-printer-installation

spm2011

spm2011

2017-03-08 01:48

reporter   ~0006482

Hmm, try running sudo service cups-browsed stop
Also apt list cups-browsed

I don't see how it could still be doing this if cups-browsed isn't running, unless its actually an issue in sane-pixma or cups-bjnp (assuming one of those is running).

Also I'm not sure why sending multicast BJNP / MFNP requests on plugging in any USB device would be a feature, especially given there are at least anecdotal complaints of this traffic seemingly causing slowdown - https://serverfault.com/questions/667376/watchguard-blocking-internal-udp-packets . Can't the kernel or cups differentiate between a USB printer and a USB storage device or other device ?

tuxbash1

tuxbash1

2017-03-18 19:21

reporter   ~0006519

I don't have the sudo service running either, but I have run the command as root and still got the same results.

The cups helper is running, I think this is the one that looks for printers/drivers over the network when USB device is plugged in, why
I don't know, but this behaviour appears to be intentional rather than
bug realted, however if your in a position to block outgoing packets for
local networks (with an exception of one or two local addresses) or just the broadcast address then none of all this actually matters, it can be ignored in that regard.

But I do agree that this should be looked into and the behaviour changed or adding extra options to configure it for ones needs :)

tuxbash1

tuxbash1

2017-03-18 19:31

reporter   ~0006520

In your case, (again if your in a postion to do so) you can block all outgoing multicast addresseses if your not going to use IPV6, infact just drop all IPV6 outgoing traffic or disbale IPV6 altogether.

spm2011

spm2011

2017-03-19 13:09

reporter   ~0006521

Thanks, I've disabled the services and added FW rules.

Can someone Resolve this issue ?
I can't seem to find a way to do it even though I am the Reporter.

Thanks,

muts

muts

2017-03-19 13:13

reporter   ~0006522

Closed.

Issue History

Date Modified Username Field Change
2016-02-25 01:59 spm2011 New Issue
2016-03-22 01:33 spm2011 Note Added: 0005004
2017-03-03 23:27 tuxbash1 Note Added: 0006465
2017-03-05 20:33 spm2011 Note Added: 0006466
2017-03-06 22:30 tuxbash1 Note Added: 0006467
2017-03-07 00:08 spm2011 Note Added: 0006468
2017-03-07 22:24 tuxbash1 Note Added: 0006481
2017-03-08 01:48 spm2011 Note Added: 0006482
2017-03-18 19:21 tuxbash1 Note Added: 0006519
2017-03-18 19:31 tuxbash1 Note Added: 0006520
2017-03-19 13:09 spm2011 Note Added: 0006521
2017-03-19 13:13 muts Assigned To => muts
2017-03-19 13:13 muts Status new => closed
2017-03-19 13:13 muts Resolution open => no change required
2017-03-19 13:13 muts Note Added: 0006522