search menu icon-carat-right cmu-wordmark

CERT Coordination Center

CUPS print service is vulnerable to privilege escalation and cross-site scripting

Vulnerability Note VU#810572

Original Release Date: 2015-06-09 | Last Revised: 2015-06-10

Overview

CUPS implements the Internet Printing Protocol (IPP) for UNIX-derived operating systems. Various versions of CUPS are vulnerable to a privilege escalation due to a memory management error.

Description

CWE-911: Improper Update of Reference Count - CVE-2015-1158

An issue with how localized strings are handled in cupsd allows a reference counter to over-decrement when handling certain print job request errors. As a result, an attacker can prematurely free an arbitrary string of global scope, creating a dangling pointer to a repurposed block of memory on the heap. The dangling pointer causes ACL verification to fail when parsing 'admin/conf' and 'admin' ACLs. The ACL handling failure results in unrestricted access to privileged operations, allowing an unauthenticated remote user to upload a replacement CUPS configuration file and mount further attacks.

This vulnerability was introduced in CUPS 1.2.0, released in 2006. All major versions of CUPS from 1.2 to 2.0 are vulnerable. This vulnerability is exploitable by default and without any special permissions other than the ability to send a print job request.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2015-1159

A cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web. In certain cases, the CGI template can echo user input to file rather than escaping the text first. This may be used to set up a reflected XSS attack in the QUERY parameter of the web interface help page. By default, many linux distributions run with the web interface activated; OS X has the web interface deactivated by default.

The CVSS score below is based on CVE-2015-1158.

Impact

CVE-2015-1158 may allow a remote unauthenticated attacker access to privileged operations on the CUPS server. CVE-2015-1159 may allow an attacker to execute arbitrary javascript in a user's browser.

Solution

Apply an update

A patch addressing these issues has been released for all supported versions of CUPS. For the version 2.0 branch (the latest release), 2.0.3 contains the patch. Affected users are encouraged to update as soon as possible.

Vendor Information

810572
 
Affected   Unknown   Unaffected

Apple

Notified:  May 06, 2015 Updated:  May 08, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project

Notified:  May 08, 2015 Updated:  June 10, 2015

Statement Date:   June 10, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

FreeBSD ships with CUPS in ports tree and was therefore affected.

An update was done on Jun 9 22:15:48 2015 UTC (r389006).

SUSE Linux

Notified:  May 08, 2015 Updated:  June 10, 2015

Statement Date:   June 10, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

SLE 12 is affected and will receive an update soon.
SLE 11 is affected and will receive an update soon.

Vendor References

openSUSE project

Notified:  May 08, 2015 Updated:  June 10, 2015

Statement Date:   June 10, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

openSUSE 13.1 and 13.2 are affected and will receive updates soon.

Vendor References

CentOS

Notified:  May 08, 2015 Updated:  May 08, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    Debian GNU/Linux

    Notified:  May 08, 2015 Updated:  May 08, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      DesktopBSD

      Notified:  May 08, 2015 Updated:  May 08, 2015

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        DragonFly BSD Project

        Notified:  May 08, 2015 Updated:  May 08, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          EMC Corporation

          Notified:  May 08, 2015 Updated:  May 08, 2015

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            F5 Networks, Inc.

            Notified:  May 08, 2015 Updated:  May 08, 2015

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Fedora Project

              Notified:  May 08, 2015 Updated:  May 08, 2015

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Gentoo Linux

                Notified:  May 08, 2015 Updated:  May 08, 2015

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  Hewlett-Packard Company

                  Notified:  May 08, 2015 Updated:  May 08, 2015

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Hitachi

                    Notified:  May 08, 2015 Updated:  May 08, 2015

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      IBM Corporation

                      Notified:  May 08, 2015 Updated:  May 08, 2015

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        IBM eServer

                        Notified:  May 08, 2015 Updated:  May 08, 2015

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          Juniper Networks

                          Notified:  May 08, 2015 Updated:  May 08, 2015

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            Mandriva S. A.

                            Notified:  May 08, 2015 Updated:  May 08, 2015

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              NetBSD

                              Notified:  May 08, 2015 Updated:  May 08, 2015

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                Nokia

                                Notified:  May 08, 2015 Updated:  May 08, 2015

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  OmniTI

                                  Notified:  May 08, 2015 Updated:  May 08, 2015

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    OpenBSD

                                    Notified:  May 08, 2015 Updated:  May 08, 2015

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      Openwall GNU/*/Linux

                                      Notified:  May 08, 2015 Updated:  May 08, 2015

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        Oracle Corporation

                                        Notified:  May 08, 2015 Updated:  May 08, 2015

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          QNX Software Systems Inc.

                                          Notified:  May 08, 2015 Updated:  May 08, 2015

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            Red Hat, Inc.

                                            Notified:  May 08, 2015 Updated:  May 08, 2015

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              Slackware Linux Inc.

                                              Notified:  May 08, 2015 Updated:  May 08, 2015

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                Sony Corporation

                                                Notified:  May 08, 2015 Updated:  May 08, 2015

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  Turbolinux

                                                  Notified:  May 08, 2015 Updated:  May 08, 2015

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    Ubuntu

                                                    Notified:  May 08, 2015 Updated:  May 08, 2015

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      Unisys

                                                      Notified:  May 08, 2015 Updated:  May 08, 2015

                                                      Status

                                                        Unknown

                                                      Vendor Statement

                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                      Vendor References

                                                        m0n0wall

                                                        Notified:  May 08, 2015 Updated:  May 08, 2015

                                                        Status

                                                          Unknown

                                                        Vendor Statement

                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                        Vendor References

                                                          View all 32 vendors View less vendors


                                                          CVSS Metrics

                                                          Group Score Vector
                                                          Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
                                                          Temporal 7.3 E:POC/RL:OF/RC:C
                                                          Environmental 5.5 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

                                                          References

                                                          Acknowledgements

                                                          This document was written by Garret Wassermann.

                                                          Other Information

                                                          CVE IDs: CVE-2015-1158, CVE-2015-1159
                                                          Date Public: 2015-06-08
                                                          Date First Published: 2015-06-09
                                                          Date Last Updated: 2015-06-10 18:34 UTC
                                                          Document Revision: 42

                                                          Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.