SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#557062

CUPS stores user account details in plain text in log file

Overview

When an SMB printer is configured, CUPS stores plain text login information to the log file.

I. Description

CUPS is a cross-platform printing system for UNIX environments. It can use the IPP, LPD, SMB, and JetDirect protocols to interact with printers. The SMB protocol is used to communicate with printers that are shared via Microsoft Windows or other SMB-compatible software such as Samba. When an SMB printer is added or modified, the connection string for the printer is written to the log file in plain text. This connection string will contain a username and password if authentication is required for the printer.

II. Impact

A local authenticated user may be able to retrieve the usernames and passwords for other accounts.

III. Solution

Apply a patch from your vendor

For vendor-specific information regarding vulnerable status and patch availability, please see the Systems Affected section of this document.

Upgrade your version of CUPS

This issue is resolved in CUPS 1.1.22rc1. Starting with this version, the connection string for the printer is sanitized so that it does not contain sensitive information.

Restrict access to the CUPS log file

By default, the CUPS log file is world-readable. Access to the CUPS log file can be restricted by setting the LogFilePerm option in cupsd.conf to "0600"

Do not use authenticated printing to Windows via Samba

Because of the possibility of disclosing sensitive information when using a printer shared via SMB, it is suggested to use other protocols such as LPD. Windows can function as an LPD server when Print Services for UNIX is installed.

Systems Affected

VendorStatusDate NotifiedDate Updated
BSDIUnknown4-Oct-2004
ConectivaUnknown4-Oct-2004
Cray Inc.Unknown4-Oct-2004
DebianVulnerable18-Oct-2004
EMC CorporationUnknown4-Oct-2004
EngardeUnknown4-Oct-2004
F5 NetworksUnknown4-Oct-2004
FreeBSDUnknown4-Oct-2004
FujitsuUnknown4-Oct-2004
Hewlett-Packard CompanyUnknown4-Oct-2004
HitachiNot Vulnerable8-Oct-2004
IBMUnknown4-Oct-2004
IBM-zSeriesUnknown4-Oct-2004
IBM eServerUnknown4-Oct-2004
ImmunixUnknown4-Oct-2004
Ingrian NetworksUnknown4-Oct-2004
Juniper NetworksUnknown4-Oct-2004
MandrakeSoftVulnerable22-Oct-2004
MontaVista SoftwareUnknown4-Oct-2004
NEC CorporationUnknown4-Oct-2004
NETBSDNot Vulnerable5-Oct-2004
NokiaUnknown4-Oct-2004
NovellUnknown4-Oct-2004
OpenBSDUnknown4-Oct-2004
Openwall GNU/*/LinuxUnknown4-Oct-2004
Red Hat Inc.Unknown4-Oct-2004
SCOUnknown4-Oct-2004
SequentUnknown4-Oct-2004
SGIUnknown28-Oct-2004
Sony CorporationUnknown4-Oct-2004
Sun Microsystems Inc.Unknown4-Oct-2004
SuSE Inc.Unknown4-Oct-2004
TurboLinuxUnknown4-Oct-2004
UnisysUnknown4-Oct-2004
Wind River Systems Inc.Unknown4-Oct-2004

References


http://www.securitytracker.com/alerts/2004/Oct/1011529.html
http://secunia.com/advisories/12736/
http://fedoranews.org/updates/FEDORA-2004-331.shtml
http://www.cups.org/ssr.html

Credit

Thanks to Gary Smith for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

Date Public:2004-10-05
Date First Published:2004-11-19
Date Last Updated:2004-12-17
CERT Advisory: 
CVE-ID(s):CAN-2004-0923
NVD-ID(s):CAN-2004-0923
US-CERT Technical Alerts: 
Metric:5.06
Document Revision:17

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader