Vulnerability Note VU#30308

lpd hostname authentication bypassed with spoofed DNS

Overview

The line printer daemon enables various clients to share printers over a network. There exists a flaw in the authentication method in this daemon that permits remote access to the server.

I. Description

A vulnerability exists in the line printer daemon (lpd) shipped with the lpr package for several systems. The authentication method was not thorough enough. If a remote user was able to control their own DNS so that their IP address resolved to the hostname of the print server, access would be granted when it should not be.

II. Impact

An Intruder can gain unauthorized access to the lpd server. In conjunction with another vulnerability (e.g. VU#39001), an intruder may be able to gain additional privileges.

III. Solution

Apply the patches provided by your vendor.

Systems Affected

Vendor	Status	Date Notified
Apple	Not Vulnerable	9-Nov-2001
Caldera	Not Vulnerable	7-Nov-2001
Compaq Computer Corporation	Unknown	5-Nov-2001
Debian	Vulnerable	4-Oct-2001
FreeBSD	Not Vulnerable	7-Nov-2001
Fujitsu	Not Vulnerable	31-Oct-2001
IBM	Vulnerable	2-Nov-2001
RedHat	Vulnerable	4-Oct-2001
Sun	Not Vulnerable	30-Oct-2001

References

http://www.kb.cert.org/vuls/id/39001
http://www.atstake.com/research/advisories/2000/lpd_advisory.txt
http://www.redhat.com/support/errata/RHSA2000002-01.6.0.html
http://www.debian.org/security/2000/20000109

Credit

The CERT/CC would like to thank Red Hat and Debian for the information provided in their security advisories.

This document was written by Jason Rafail.

Other Information

Date Public:	2000-01-08
Date First Published:	2001-10-16
Date Last Updated:	2001-11-09
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Metric:	7.87
Document Revision:	10

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader