Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title CUPS print service is vulnerable to privilege escalation and cross-site scripting
Informations
Name VU#810572 First vendor Publication 2015-06-09
Vendor VU-CERT Last vendor Modification 2015-06-10
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#810572

CUPS print service is vulnerable to privilege escalation and cross-site scripting

Original Release date: 09 Jun 2015 | Last revised: 10 Jun 2015

Overview

CUPS implements the Internet Printing Protocol (IPP) for UNIX-derived operating systems. Various versions of CUPS are vulnerable to a privilege escalation due to a memory management error.

Description

CWE-911: Improper Update of Reference Count - CVE-2015-1158

An issue with how localized strings are handled in cupsd allows a reference counter to over-decrement when handling certain print job request errors. As a result, an attacker can prematurely free an arbitrary string of global scope, creating a dangling pointer to a repurposed block of memory on the heap. The dangling pointer causes ACL verification to fail when parsing 'admin/conf' and 'admin' ACLs. The ACL handling failure results in unrestricted access to privileged operations, allowing an unauthenticated remote user to upload a replacement CUPS configuration file and mount further attacks.

This vulnerability was introduced in CUPS 1.2.0, released in 2006. All major versions of CUPS from 1.2 to 2.0 are vulnerable. This vulnerability is exploitable by default and without any special permissions other than the ability to send a print job request.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2015-1159

A cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web.In certain cases, the CGI template can echo user input to file rather than escaping the text first. This may be used to set up a reflected XSS attack in the QUERY parameter of the web interface help page. By default, many linux distributions run with the web interface activated; OS X has the web interface deactivated by default.

The CVSS score below is based on CVE-2015-1158.

Impact

CVE-2015-1158 may allow a remote unauthenticated attacker access to privileged operations on the CUPS server. CVE-2015-1159 may allow an attacker to execute arbitrary javascript in a user's browser.

Solution

Apply an update

A patch addressing these issues has been released for all supported versions of CUPS. For the version 2.0 branch (the latest release), 2.0.3 contains the patch. Affected users are encouraged to update as soon as possible.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
AppleAffected06 May 201508 May 2015
FreeBSD ProjectAffected08 May 201510 Jun 2015
openSUSE projectAffected08 May 201510 Jun 2015
SUSE LinuxAffected08 May 201510 Jun 2015
CentOSUnknown08 May 201508 May 2015
Debian GNU/LinuxUnknown08 May 201508 May 2015
DesktopBSDUnknown08 May 201508 May 2015
DragonFly BSD ProjectUnknown08 May 201508 May 2015
EMC CorporationUnknown08 May 201508 May 2015
F5 Networks, Inc.Unknown08 May 201508 May 2015
Fedora ProjectUnknown08 May 201508 May 2015
Gentoo LinuxUnknown08 May 201508 May 2015
Hewlett-Packard CompanyUnknown08 May 201508 May 2015
HitachiUnknown08 May 201508 May 2015
IBM CorporationUnknown08 May 201508 May 2015
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

GroupScoreVector
Base9.3AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal7.3E:POC/RL:OF/RC:C
Environmental5.5CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://www.cups.org/blog.php?L1082+I0+Q
  • https://www.cups.org/str.php?L4609

Credit

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2015-1158CVE-2015-1159
  • Date Public:08 Jun 2015
  • Date First Published:09 Jun 2015
  • Date Last Updated:10 Jun 2015
  • Document Revision:42

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/810572

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-254 Security Features
50 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 5

Snort® IPS/IDS

Date Description
2015-08-04 Apple Cups cupsd privilege escalation attempt
RuleID : 35043 - Revision : 2 - Type : SERVER-OTHER
2014-11-16 Apple CUPS web interface cross site scripting attempt
RuleID : 31860 - Revision : 4 - Type : SERVER-OTHER

Nessus® Vulnerability Scanner

Date Description
2015-11-02 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201510-07.nasl - Type : ACT_GATHER_INFO
2015-07-08 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2015-559.nasl - Type : ACT_GATHER_INFO
2015-07-08 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2015-188-01.nasl - Type : ACT_GATHER_INFO
2015-06-22 Name : The remote Fedora host is missing a security update.
File : fedora_2015-9801.nasl - Type : ACT_GATHER_INFO
2015-06-22 Name : The remote Fedora host is missing a security update.
File : fedora_2015-9726.nasl - Type : ACT_GATHER_INFO
2015-06-19 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2015-1123.nasl - Type : ACT_GATHER_INFO
2015-06-18 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2015-0071.nasl - Type : ACT_GATHER_INFO
2015-06-18 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20150617_cups_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2015-06-18 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2015-1123.nasl - Type : ACT_GATHER_INFO
2015-06-18 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2015-1123.nasl - Type : ACT_GATHER_INFO
2015-06-15 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2015-418.nasl - Type : ACT_GATHER_INFO
2015-06-12 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2015-1041-1.nasl - Type : ACT_GATHER_INFO
2015-06-12 Name : The remote printer service is potentially affected by multiple vulnerabilities.
File : cups_2_0_3.nasl - Type : ACT_GATHER_INFO
2015-06-11 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2629-1.nasl - Type : ACT_GATHER_INFO
2015-06-10 Name : The remote Debian host is missing a security update.
File : debian_DLA-239.nasl - Type : ACT_GATHER_INFO
2015-06-10 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_a40ec9700efa11e590e4d050996490d0.nasl - Type : ACT_GATHER_INFO
2015-06-10 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3283.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
Date Informations
2015-06-26 21:29:37
  • Multiple Updates
2015-06-26 17:32:10
  • Multiple Updates
2015-06-13 13:28:23
  • Multiple Updates
2015-06-10 21:25:14
  • Multiple Updates
2015-06-10 17:24:34
  • Multiple Updates
2015-06-09 21:25:50
  • First insertion