CUPS Security Vulnerabilities

Buck Naked writes "A slew of vulnerabilities was discovered in CUPS, from the advisory: 'Exploitation of multiple CUPS vulnerabilities allow local and remote attackers in the worst of the scenarios to gain root privileges...' The full advisory can be found at iDEFENSE."

Same shit, different daemon...

[norculf]

Common sense applies. The outside world doesn't need access to your printers, so firewall it and remember to patch it once in a while and you might be safe...

Re:Same shit, different daemon...

You'll feel different about that when you can't print to my printer, buddy!

Re:Same shit, different daemon...

[Rubbersoul]

I agree with you at home no one should need to print to your printers from the outside world. In a corporate environment though there are many real world times when printing to different locations may be needed ...

Re:Same shit, different daemon...

[zen+parse]

At least one of these is exploitable via a url... I think that was mentioned somewhere in the advisory. (If not, that is what the remote method is, so you know.)

If you get an email with a specially constructed image link in it, or visit a website with that url, you can be remotely exploited... it ignores the firewall because it is you doing the connecting to it. (Can even put every possible address you might have a printer on your LAN into a page, with every possible offset... or at least the most likely ones... too many malformed connections, and your daemon dies... remote denial of service maybe?)

Filtering connections to port 631 in mozilla/netscape would protect you from this, but it would also stop you being able to use the administration via http features of CUPS, which gives you the proverbial choice between dancing elephants and security, it seems.

Overview:

You MUST patch it to be protected. Firewalling also won't protect you from malicious local users getting root, and it won't stop you being hacked by yourself.

Re:Same shit, different daemon...

[evilviper]

That works fine for you, and a lot of home users, but what about those of us who run a network? Shall we all just assume that nobody that has access wants to break in? Why not just leave the root password blank and save them the trouble? /me Is glad he's using good ol' lpd.

Re:Same shit, different daemon...

[Blkdeath]

Filtering connections to port 631 in mozilla/netscape would protect you from this, but it would also stop you being able to use the administration via http features of CUPS, which gives you the proverbial choice between dancing elephants and security, it seems.

Our LAN's CUPS configuration allows port 631 connections only from administrative workstations. IMHO, that's just common-sense security. This could be enforced with a combination firewall and switch/router ACLs that segregate IP sources. If administrators need to perform administrative tasks while 'on the run', they can always VPN to an administrative area.

As for a smaller LAN, just a simple ACL and firewall configuration should suffice. The biggest assumption, of course, is that those using the administrative workstations are clueful* enough to be wary about opening images in e-mail and what-not.

You MUST patch it to be protected. Firewalling also won't protect you from malicious local users getting root, and it won't stop you being hacked by yourself.

Oh, without question. Sadly, the CUPS website is severely lacking in documentation and security advisories. I tried to check the "More Info" for the December 19th release, but was returned to the homepage. So I've downloaded it and will check the ChangeLog instead.

* (I can't believe I just used that term!)

Re:Same shit, different daemon...

Firewalling also won't protect you from malicious local users getting root, and it won't stop you being hacked by yourself.

Dammit! I have got to stop using "su." Every time I use it, I root myself :)

Re:Same shit, different daemon...

[Dr.+Cam]

No kidding. I recently set up CUPS on my system, and it automatically added four printers that were clearly not on my system. One of my neighbours (I'm on cable) is no doubt still scratching his head over the test page I sent. :-) I found it expeditious to add Allow from @IF and Deny from @IF statements. I don't have to worry (at the moment) about internal attacks -- my kids aren't that sophisticated (yet).

Re:Same shit, different daemon...

Firewalling also won't protect you from malicious local users getting root

The key here is not to leave the keys to the door under a carpet on the porch and you won't have to worry about malicious users on your computer.

Its a good thing

[Morgahastu]

Its a good thing most new users can't setup CUPS and just disable ;)

Until RedHat 8 came out that is!

Thanks CowboyNeal and poster

[mao+che+minh]

While many might chime in here saying this story would be better suited on security sites, I for one just heard about it now. I also plugged about 3 vulnerabilities because of it.

Patches out, you can relax

[Erore]

http://www.cups.org/news.php?V87

Whew, I feel much safer now. It's always nice that someone feels ownership for the code, thus that someone takes quick action and fixes the problems. Thank you Michael Sweet for a great print system and quick action.

Re:Patches out, you can relax

[unoengborg]

Yes, the quick reaction to this was great.

But what is not so great is that there is no simple way of verifying that the patched code available for download in fact is the patched code.

We really need some kind of digital signature system so that we can ensure that we are not downloading fixes from a hijacked ftp server.

The best thing to do would of course to validate the code yourself. But many people doesn't have that kind of skills, so they would probably go for just trusting the auther, but without a digital signature how dow we know that the code we download is the real thing.

Re:Patches out, you can relax

[printman]

Check out the CUPS download page - it has MD5 sums that you can validate against your downloaded copies (no sense putting them in files on the FTP server, now is there? :)

Vendor notes...

Michael Sweet [mike@easysw.com] of Easy Software Products said CUPS 1.1.18 will be released December 19, 2002 which addresses all of these issues (http://www.cups.org).

Mark J Cox (mjc@redhat.com) of Red Hat said the following:

"Red Hat Linux 7.3 and 8.0 ship with CUPS, however it is not enabled by default. We are currently working on producing erratum packages. When complete, these will be available along with our advisory. At the same time, users of the Red Hat Network will be able to update their systems
using the 'up2date' tool."

Richard Blanchard (rblanchard@apple.com) of Apple said the following:

"Affected Systems:
Mac OS X 10.2 - Mac OS X 10.2.2
Mac OS X Server 10.2 - Mac OS X Server 10.2.2

Mitigating Factors:

The described vulnerability can be remotely exploited only when Printer Sharing is enabled. Printer Sharing is not enabled by default on Mac OS X or Mac OS X Server.

Fixed in: Mac OS X 10.2.3 and Mac OS X Server 10.2.3"

Impressive List & Response

[goldid]

I'd just like to note how good the response is. The list of vulnerabilities is well stated and very complete. Furthermore, the time line of events is excellent and patching was superb and fast. My OS X box was patched before I even knew about the vulnerability. Thanks to iDEFENSE and zen-parse.

Re:Impressive List & Response

Yes, but your OS X box was patched over a month after the first person to find these holes knew about them. How many people might've come to know about them in that time? But I spose it's a good thing your box was patched before you knew about it, no chance of that you 0wned your own box beforehand.

Re:Impressive List & Response

[zen+parse]

> How many people might've come to know about them in that time?

I would estimate that no more that 4 to 6 people had complete access to all of the problems before they were made public.

To the best of my knowlege none of these problems were ever exploited in the wild. (And if they were, as long as people patch their systems, they won't be.)

I found these problems by auditing the source, and not because of any rumors of active exploitation.

Open source software is sometimes considered to be more secure than closed source because you can see the source code.... the same reason other people say that it is less secure.

For being able to see the source code to make any difference at all, someone actually has to look at it, which doesn't appear to happen as often as either side claim does.

All it takes for a piece of software to be insecure is one exploitable problem, whether it is open or closed source.

What helps keep people secure is publicity that there is something wrong.

It's no use there being patches made available if nobody knows there was a problem... this article has probably done more for getting peoples boxes patched than all the security lists combined.

Anonymous Coward complained that it was a month between the holes being discovered and the patch being released... check out the problem's I found with the posterboy of open source in business, Netscape/Mozilla... 4 months to get some of them fixed... and when they released a buggy version and patched it 2 days later (or something like that) people actually CONGRATULATED THEM!!! Publicity over the bugs in Mozilla/Netscape was minimal to say the least...

Look at Code Red. Publicity caused that to be much less of a problem than it could've been.

The more exploits the 'bad guys' have, the more likely those exploits will be patched.

Having an exploit for a vulnerability that is patched on 99% of boxes is pretty much useless... distributing an exploit with your advisory isn't 'a neccessary evil', it's a bloody good idea.

A complete working script kiddie friendly exploit for every hole that is found should be given away, free of charge. Let the holes that people don't patch get exploited. If you know that within a day of a security advisory being released there will be an easy to use way for anyone in the world to use it against you, are you going to let your guard down?

-- zen-parse

hmm....

[radoni]

does this apply to the CUPS distributed with MAC OS X?

If so... with the recent move by GNU-Darwin away from mac-proprietary development, what's the relationship of bugs like this being found in software that is part of OS X and the Apple developers working to fix said bugs?

i use CUPS. i think it's neat.

Re:hmm....

[commodoresloat]

i use CUPS. i think it's neat.

I use CUPS too but it's not always neat; I haven't been able to fix the spilling bug that always occurs if I am using CUPS to transfer red wine or coffee while wearing white.

OK, OK, I'll stop....

Re:hmm....

GNU-Darwin has nothing to do with CUPS.

Apple has licensed CUPS from Easy Software Products.

GNU-Darwin was a fleet of about fifteen people who decided to get on the wrong boat. I mean, really if you look at their install script, it's not hard to see that these aren't the kind of people you'd want working on your computer anyway.

We live in a world of paradoxes. Trying to have it all your way will get you nowhere. Overzealousness on the part of the GNU-Darwin team has made their little piss-in-the-wind operation officially dead, instead of the unofficial death it was going through.

Fink made GNU-Darwin little more than an afterthought. There was no competition.

But methinks you don't have a Mac anyway, since you haven't installed 10.2.3 yet.

CUPS is still the best solution

[jaymzter]

CUPS, as far as I'm concerned is the killer app for printing in the *nix world. And just like another poster mentioned, why on earth would someone not be firewalling their printer? So once again it comes down to the competency of the system administrator. As for the MS trolls out there who will use this as an excuse to pan OSS, I'd like to point out that at least with CUPS and projects like it we won't have to wait for the maintainers to admit there's a problem, and then wait a month or more for a fix. This is news only in that security vulnerabilities need to be dissemenated as widely as possible

Re:CUPS is still the best solution

>and then wait a month or more for a fix.

10/27/2002 Initial discussion with contributor
11/14/2002 Final contributor submission
12/12/2002 CUPS author notified via e-mail to cups-support@cups.org
12/12/2002 iDEFENSE clients notified
12/12/2002 Response and preliminary patch received from
CUPS author Michael Sweet(mike@easysw.com)
12/12/2002 Apple, Linux Security List (vendor-sec@lst.de)
12/13/2002 Updated patch received from Michael Sweet
12/17/2002 Response received from Richard Blanchard
(rblanchard@apple.com)
12/19/2002 Coordinated Public Disclosure

looks to me like you _did_ actually have to wait more than a month for the fix.Tell me again why I should be using open source stuff?

Re:CUPS is still the best solution

Looks like about 24 hours to me. iDEFENSE didn't inform the developer until the twelfth. He had a preliminary patch on the SAME DAY and an updated patch the following day.

iDEFENSE sat on it for a month, not the developer.

Re:CUPS is still the best solution

Yes, iDEFENSE sat on it for a month. Perhaps if they'd advised the maintainer immediately they would've had the patch out even sooner giving any black hat hackers a month less time to find it themselves.

I imagine it would be a very different story if unix boxen across the net were getting hacked and it turned out iDEFENSE had known about the hole for weeks and not told anyone about it.

Re:CUPS is still the best solution

Yeah, like Joe User is gonna think about "firewalling his printer". Syadmins aren't the only ones using Linux these days.

Re:CUPS is still the best solution

we won't have to wait for the maintainers to admit there's a problem, and then wait a month or more for a fix.

And then have to agree to a EULA that gives the authors right to our first-born, our cars, houses, and spouses, too, like certain companies *cough* Microsoft *cough* put in their EULAs.

Re:CUPS is still the best solution

Wow nice spin but still the problem exsisted for longer than the 24 hours you cited. CUPS is arguably the most modern and essential UNIX broadly used service to come about in a while. What happened to the many eyes tennant of opensource? From the users one would hope, says the model. Were they just not interested and so a paid group did the looking for them?

In the ideal state of affairs the bug would never have existed. But we have something called the Real World where the ideal state of affairs never exists and comparison to such is silly. Instead, let's compare alternatives:

1) iDEFENSE discovers a bug in an open source software project, sits on it for a month, reports it and it gets fixed immediately. (Actually, it appears it wasn't iDEFENSE who discovered the vulnerability. It was an unnamed "contributor.")

2) SOP for closed source security flaws includes weeks or months of denial followed by an eventual patch, downplaying of the vulnerability and renewed calls to squelch security researchers.

The question isn't "is open source perfect security?" The question is, "what is the best of real world alternatives?"

With open source software, independent auditing is often hit or miss, but with closed source, it is impossible. So the fact that sometimes it takes a commercial venture to find a security hole in open source software isn't a point of favor for closed source software.

Now, if a similar bug appeared in, say, Windows' printing subsystem and iDEFENSE sat on it for a month do you imagine that MS would release a patch within 24 hours?

Re:CUPS is still the best solution

[cthugha]

Agreed. In addition, CUPS can be set up to only accept local connections (unlike regular BSD lpd), so even if your firewall fails, the printer daemon should still refuse an incoming remote connection.

Re:CUPS is still the best solution

[berzerke]

...why on earth would someone not be firewalling their printer?

In addition to the firewalling, cups can also be portwalled too (see http://www.spotswood-computer.net/portwalling.html for details on this concept). Make sure it's not listening on an internet interface (which it would by default). Assuming your internal interface is 192.168.1.1, comment out the lines

Port 80
Port 631

and replace them with

Listen 192.168.1.1:631
Listen 192.168.1.1:80

and restart the service. Warning: The cups init.d script in Mandrake (at least) will make changes to your configuration file, resulting in cups failing to start if you make the changes listed here. Edit the script and stop it from making the changes before you restart.

Re:CUPS is still the best solution

Can you clearly explain why anyone would use cups instead of lp ?

Lp is smaller. Lp works. Lpr provides the ultimate "Common Unix" interface -- a pipe. Lp works. You can find a filter or configuration for almost any printer with one groups.google.com search. Lp works.

My question is this: what is it that you couldn't do, that propelled the first person to ever start writing cups ? Don't tell me it was the lack of a web interface. Don't tell me it was because lp didn't work on your system.

All of these questions aply also to the printer working group -- http://www.pwg.org/. What exactly is the fucking problem ?

Re:CUPS is still the best solution

[_Sprocket_]

1) iDEFENSE discovers a bug in an open source software project, sits on it for a month, reports it and it gets fixed immediately. (Actually, it appears it wasn't iDEFENSE who discovered the vulnerability. It was an unnamed "contributor.")

It might be worth noting that this is a major point of iDefense; payment for exploits. Its also been a source of criticism - be it valid or not.

I have to wonder if the delay was over verification of the exploit and the decission process involved in awarding payment for discovery. If payment wasn't a part of the process, would the system be faster to report? But then - would it have been reported in the first place?

Re:CUPS is still the best solution

[slamb]

In addition to the firewalling, cups can also be portwalled too (see http://www.spotswood-computer.net/portwalling.html [spotswood-computer.net] for details on this concept). Make sure it's not listening on an internet interface (which it would by default)

That's not necessarily enough. See this email about "weak end host". The short version is attackers can access the IP of one interface through another on Linux unless you go out of your way to prohibit it.

Re:CUPS is still the best solution

[cyberkreiger]

Did you check in the FAQ?

Re:CUPS is still the best solution

[Blkdeath]

... about "weak end host". The short version is attackers can access the IP of one interface through another on Linux unless you go out of your way to prohibit it.

This relies, of course, on having IP routing enabled on the Linux box (disabled per default) without having the wherewithall to run NetFilter (or another suitable firewall).

Re:CUPS is still the best solution

[slamb]

This relies, of course, on having IP routing enabled on the Linux box (disabled per default) without having the wherewithall to run NetFilter (or another suitable firewall).

First, I think it's reasonable to assume that nearly anyone with multiple interfaces will have IP routing enabled.

Second, I'd guess most NetFilter configurations wouldn't stop this. You have to have a rule that denies anything coming in from the external interface for the internal IP. (Or that denies the service specifically, but then there's no real point to binding to the inside interface only.) Binding only to "safe" interfaces is sometimes pointed to as an alternative to firewalling services, so it's important to point out where that can fail. With the one rule, it works well.

Re:CUPS is still the best solution

[hackstraw]

I've never heard of the term "portwalling" before, and google only returned 3 matches on the term.

However, this idea is a useful and easy tool to make things a little more secure, especially if you are on a private lan. For completeness, it should be mentioned that xinetd , sendmail, apache, and most well writen daemons support this mechanism. See the bind(2) manpage, basically you provide the source address to be something specific besides INADDR_ANY.

Re:CUPS is still the best solution

[Blkdeath]

First, I think it's reasonable to assume that nearly anyone with multiple interfaces will have IP routing enabled.

Not neccesarily. Sometimes computers are just on multiple networks.

Second, I'd guess most NetFilter configurations wouldn't stop this. You have to have a rule that denies anything coming in from the external interface for the internal IP.

That's part of any proper BOGON filter set, or any decent firewall. Much like I deny all connections claiming to be from/to 127.0.0.1, I deny incoming connections from/to the RFC1918 address space, from my local address space, and from/to any of the unassigned ARIN address space. Claiming that "most" NetFilter configurations don't have such safeguards is, IMHO, a little rash.

Binding only to "safe" interfaces is sometimes pointed to as an alternative to firewalling services, so it's important to point out where that can fail.

If I ever saw someone suggesting it as an alternative to firewalling, I'd call them on it. It's an additional security precaution; not a replacement. I thought it went without saying, but then again this is the world where MCSEs (and other similar paper-hatters) are administering corporate WANs (and by extension, speaking of BOGONs, why the 69.0.0.0/8 address space is presently largely unroutable.)

Re:CUPS is still the best solution

[slamb]

I wrote: First, I think it's reasonable to assume that nearly anyone with multiple interfaces will have IP routing enabled.

Blkdeath wrote: Not neccesarily. Sometimes computers are just on multiple networks.

Thus the "nearly". But I can't even think why you'd need to do that in a well-designed network.

I wrote: Second, I'd guess most NetFilter configurations wouldn't stop this. You have to have a rule that denies anything coming in from the external interface for the internal IP.

Blkdeath wrote: That's part of any proper BOGON filter set, or any decent firewall.

I agree, but I'd still guess that most people don't. I often don't see it in tutorials for NetFilters and similar tools, and I imagine it's pretty common to end up with a firewall very similar to those.

If I ever saw someone suggesting it as an alternative to firewalling, I'd call them on it.

Did you read that portwalling draft that berzerke linked to? I quote:

If you could configure your web server (and for Apache it is possible, and not that hard), to listen for connections on only 127.0.0.1 port 80 and 192.168.1.1 port 80, then no one from the internet could send packets to your web server even without a firewall running!

It does not mention the need to prevent them from accessing one interface's IP from another interface.

Re:CUPS is still the best solution

[Blkdeath]

Did you read that portwalling draft that berzerke linked to? I quote:

[...]

It does not mention the need to prevent them from accessing one interface's IP from another interface.

It does, however, continue to state the need for a firewall in an effective protection setup;

With a firewall and patching, an attacker would first have to get through the firewall, then find another way to connect to service / get around the port walling, and then find an unpatched exploitable vulnerability on that service. Not too likely to happen.

The preceeding paragraph (that you've paraphrased) was worded very poorly, that I'll give you, but this is a) a "Draft", and b) Merely one of the hundreds of thousands of sites offering advice on the Internet. Even still, if a person follows this through to the letter, they'll be atleast partially protected. Of course they'll have to look elsewhere to find documentation for configuring their particular firewall package, as that was wisely left out of that 'draft'.

If Joe Ignorant Homeuser's whiz-bang three computer home LAN is infiltrated because he didn't even implement the most basic safeguards and software patches, well, that's his own fault and I feel no pity for him.

My home LAN uses port and firewalling for all internal services, and that's almost the way it should be. Ideally the only machine with more than one interface on a multi-homed network should be the firewall which, as I'm sure you're well aware, shouldn't be running any daemons.

Re:CUPS is still the best solution

[slamb]

I wrote: It does not mention the need to prevent them from accessing one interface's IP from another interface.

Blkdeath wrote: It does, however, continue to state the need for a firewall in an effective protection setup;

Sure, but you're not getting my point. It mentions that as "defense in depth"; redundant security. The draft implies throughout that these are totally independent methods. They aren't. It's not just a single poorly-worded paragraph; it's wrong.

Re:CUPS is still the best solution

[berzerke]

...This relies, of course, on having IP routing enabled on the Linux box...

I tested it and it still works even with routing disabled. Scary at first glance, but there is ray of hope. Exploiting the "weak end host" depends on several things being perfect.

First, an attacker has to know the ip address of the "other side" (where the services you want to protect are listening). Second, assuming you are using the private address range for your "other side" (which is standard), the attacker must be one hop away. Otherwise, the routers between the two systems would not know how to route the packet and simply drop it. This one hop rule will kill most attacks (but not all!) without further effort on your part.

Finally, this attack can be filtered by a firewall quite easily. Don't allow packets from the wrong interface through to that port. Or, if you are using a private address range, all packets with a destination to the private address range get dropped.

Re:CUPS is still the best solution

[berzerke]

...It does not mention the need to prevent them from accessing one interface's IP from another interface...

You are absolutely correct and it will be corrected. However, it's not a total disaster. As I mention in another reply, if you are binding to a private address range (as the example does), then the attacker must be one hop away for the "attack" to work. This is assuming they know what your private address is. Thus, it's still good advice.

Mac Users OK

[mattvd]

From the linked article:

"Fixed in: Mac OS X 10.2.3 and Mac OS X Server 10.2.3"

Apple just released 10.2.3 today.

Re:Mac Users OK

[Eric+Smith]

Was CUPS not present in earlier releases of Mac OS X?

If it was present, will Apple release fixes for those, or just force everyone to buy the 10.2 upgrade?

Re:Mac Users OK

[BJH]

Apple switched to CUPS in Jaguar - earlier releases don't contain it.

Re:Mac Users OK

[maggard]

Was CUPS not present in earlier releases of Mac OS X?

CUPS was introduced to MacOS X in 10.2 - "Jaguar"

If it was present, will Apple release fixes for those, or just force everyone to buy the 10.2 upgrade?

It's irrelevant to folks prior to 10.2 (unless they've added it manually in which case they can update it the same way) and a free update to those with 10.2.n. Even comes in a combo patch so folks can skip intermediate releases.

No forcing, no extra cost, the patch was released at the same time as the vulnerability announced, got anything else you wanna try and pick on?

Re:Mac Users OK

CUPS.org released CUPS 1.1.18 yesterday which claims to fix the vulnerabilities. Apple released OS X 10.2.3 today and claims CUPS vulnerabilities are patched in 10.2.3. I downloaded 10.2.3, but CUPS still seems to be at version 1.1.15:

% cups-config --version
1.1.15-2

Rather than upgrading to newer versions of CUPS (which would have eased some of my problems printing from NT), Apple seems to have patched the version of CUPS from March.

good thing...

[nuckin+futs]

Apple fixed it today on their Systems.

"Affected Systems:
Mac OS X 10.2 - Mac OS X 10.2.2
Mac OS X Server 10.2 - Mac OS X Server 10.2.2
Mitigating Factors: The described vulnerability can be remotely exploited only when Printer Sharing is enabled.
Printer Sharing is not enabled by default on Mac OS X or Mac OS X Server.
Fixed in: Mac OS X 10.2.3 and Mac OS X Server 10.2.3" (released today)

Whew!

[DoctorPhish]

I sure am glad I removed CUPS from my mom's debian box before I moved out last week (and took my firewall with me). I still think printing is the worst thing about unix in general (and about GNOME in particular...), but CUPS was relatively easy to set up. Sounds like it needs a serious security audit, though.

Re:Whew!

[tres]

Well, if you had Debian set up correctly, Mom would be getting CUPS updated anyway, wouldn't she?

CUPS simply kicks ass. You obviously haven't seen how powerful it is. CUPS on a Mac OS X laptop absolutely kicks the dingo's ass.

I can go home and select print. None of the inherent bullshit problems with "Point and Print" or any other crap. I plug in at work and viola, I have a printer available. CUPS has pushed *nix printing far ahead of the Microsoft "printing" that (by the way) still hasn't gained sway in the print world (where computer printing is your lifeline).

And if you're mom's machine really needed it updated, why not SSH into it and do it for her? That's the power you get with a true network OS.

Re:Whew!

[friedmud]

Please don't take this as trolling....

But have you seen KDE's print menu/system?? It works directly with cups and is actually easier to use than even MS's printer installer.

KDE 3.1 improved things even more, and now the whole system is very sweet. Give it a try.

Derek

Re:Whew!

[Zigg]

Really. I could never get it to work, and ended up just telling it to use "lpr". It would fail mysteriously. Yes, I have CUPS running.

Re:Whew!

[printman]

Um, CUPS has been audited about a dozen times now by various vendors. The last such audit was conducted almost a year and a half ago and was the source of the last security advisory for CUPS. Yes, that's right, no advisories in a year and a half...

We take security very seriously, and as soon as something comes to our attention (either internally or externally), we release a fix ASAP. This latest advisory exposed some integer overflows (previous ones were buffer overflow/DoS only) which could be used to gain access to the (unpriviledged) "lp" account, and in one case root access (but that required a local attack or a change in the default configuration for a remote attack...

After the report we went through all of the related code as well to determine if there were any other problem spots like those reported; we found and fixed a few in the image file filters (which could only get you "lp" access anyways, one of the reasons we don't run everything as root like old LPD did...)

Security advisories like this only improve the quality and "safety" of the CUPS code, and we welcome all reviews, criticisms, etc. - user/developer feedback has been the driving force behind CUPS development.

Is it written by Microsoft

[i_luv_linux]

How come a security news that doesn't involve is on the front page? I thought you guys only post MS related security news. :))

Re:Is it written by Microsoft

[shaitand]

Nope, you get the *nix security vulnerabilities here as well. You just see alot more microsoft vulnerabilities for some reason... there are also patches for the *nix problems. For some odd reason there is usually no announcement of a fix from microsoft and if there is it comes a couple dozen bugs later.

Be safe

[NMerriam]

Remember kids, when playing with Linux, always wear your CUPS...

fsckin great...

... I just got printing working today with cups.

Oh well. Time to RTA and see what the "fix" is.

Lets see ...

[johnlcallaway]

... do I use this ... uh ... no.

OK, I'm done.

Wish Windoze security updates were this easy......

Re:Lets see ...

[DevNull+Ogre]

They are ;-)

Re:Lets see ...

Don't we all, my friend, don't we all.

Have YOU impaled johnlcallaway today?

Re:Lets see ...

[jonadab]

Heh. That was me too. Actually, I _do_ use CUPS at work, but only
the client part of it; I never turned it on as a server, so...

Re:Lets see ...

[MattCohn.com]

Really. Because I just happened to look in my system tray today and saw an icon. I double clicked this icon which said "Updates have been downloaded. Click 'Install' to install them'.

I clicked, browsed slashdot a little, and in a minute or two it told me it was done.

...

...
Yah, that wasn't too hard.

Re:Lets see ...

[_Sprocket_]

Of course... you don't mind a history of unstable updates, an update process that will undo configurations or re-install components that have been removed for security concerns, nor security updates that re-define your license to the entire product.

To each their own. Click away.

After all, who needs to know whats running on their system or their rights as consumers.

Re:Lets see ...

[johnlcallaway]

Uh ... the point was that if I don't need software, I don't have to install it, hence I never have to patch it.

Like, if I have a server that never needs a browser, or a GUI, I never have to worry about patches for it. That's the nice thing about having a small OS with modules, instead of tying everything together.

Of course, Windoze users wouldn't know the benefits about having highly configurable systems like that....

CUPS

[rockwood]

An exploitation recently discovered in CUPS has globally rocked and baffled the scientific industry.

It appears that a vulnerability has been found whereby a malicious user can covertly attach a second string to the midsection of the two originating CUPS and 'tap' into the communication between CUP "A" and CUP "B".

Furthermore, said user can attach a third CUP to the end of his/her string and receive a secondary branch off of all data vibrating bwteen the two original CUPS.

Saavy users can then vocally mimic the voice data being picked up and assume the identity of either CUP "A" or CUP "B".

Agency around the world have been placed on full alert as they scramble for a patch to this unforseen security hole!

Re:CUPS

screw all that technomuble. all i want my damn cup to do is protect my gonads. keep it simple and effective. I mean what happens if i get a open sour (ce) virus down thier?

Damn

[Strepsil]

Couldn't I have seen this just TWO HOURS AGO while I was still at work, and not now when my holidays have officially started? Well, it's not like I didn't expect to be working occasionally during my holiday anyway. A sysadmin's work is never done ...

I say again - damn. It a little blissful ignorance over the festive season too much to ask these days?

Re:Damn

Shouldn't a sysadmin be subscribed to bugtraq, in which case you would have read about it while at work?

Re:Damn

[caluml]

Erm - you use Slashdot to get all your info about holes/bugs etc?

I simply use wget to mirror the updates dir from my local RedHat mirror each night, and log the results. I grep for "saved" in the log file, and if there's anything there apart from "index.html", the script runs RPM -K *.rpm to validate the checksums, and it emails me, and says that there is a new batch of RPMs to install.
I export the updates dir over NFS, and I can mount them on all the other boxes, and update those too.

Re:Damn

[Strepsil]

Erm - you use Slashdot to get all your info about holes/bugs etc?

No, not at all. See - I'd left work today after spending the last couple of days just doing the "must happen this year" stuff. I got home, loaded up Slashdot looking for a bit of a diversion, and what do I see? Work! Just when I thought I'd left it behind. If Slashdot hadn't run this, I'd still be under the impression everything was OK, and that's what really matters, right? :)

For the record, I use apt with RPM to maintain a bunch of RedHat boxes. I have my own internal repository that contains some internally maintained packages, plus a nightly updated RedHat mirror. It won't take me a lot of work to roll out the fixes - I have a script to execute commands on all the remote machines via SSH - but it wouldn't really have served the humour of the message to include that, would it? It would have helped even less than this over-analysis.

I still call for the various security groups to impose a ban on vulnerability announcements between December 14 and January 14, just to give us all a bit of peace, though!

What is CUPS, you ask?

[RumpRoast]

More info here.

I never really understood what made it better than straight up lpd. Perhaps one of you could enlighten me?

Re:What is CUPS, you ask?

You don't need a post-graduate degree in computer science to set it up.

Re:What is CUPS, you ask?

Blow me. CUPS-O-MATIC is anything but...

Re:What is CUPS, you ask?

[theendlessnow]

CUPS is to lpd as Unix is to MSDOS.

You posted the link, print it, read it... (CUPS users should patch before printing)

Re:What is CUPS, you ask?

[labradort]

In practical terms, it gives you decent print drivers if you don't have a Postscript printer.

The previous printing available for something like a HP 6L was crappy for something like a typical web page. I used it only as text. With CUPS, I can use the HP4 driver package and click print from Netscape and see the page nicely.

Re:What is CUPS, you ask?

[RumpRoast]

That's sort of what I thought... Forgive me for being dense, but why do you need to replace the whole print subsystem to make up for bad drivers?

Re:What is CUPS, you ask?

CUPS is the gnome of the printing world. It's a solution to a problem nobody has. It's the disaster that happens when coders can't stop themselves and aren't directed to something useful.

Re:What is CUPS, you ask?

[drinkypoo]

In general Unix systems have assumed postscript for printing anything other than fixed-width text, which with most older printers, especially character printers, can be done (with no styles mind you) by simply sending the text out the printer port in ASCII.

I really don't know where the dependence on postscript came from in the first place, but it definitely seems that that's how everything in the Unix world wants to print. I guess it was the most obfuscated language supported by lots of printers, so it was naturally desirable to the Unix crowd :) Also AFAIK PCL came a while after it, but maybe it's just that PCL got good enough to use much later.

Re:What is CUPS, you ask?

[Zoolander]

LOL! Moderators: FUNNY!

Re:What is CUPS, you ask?

[Daniel]

I never really understood what made it better than straight up lpd.

A configuration file format which is distinguishable from line noise.

Daniel

Not really news - CUPS vulnerabilities endemic

[commodoresloat]

CUPS have always had known vulnerabilities; they need them to operate effectively. What do you expect when you have a giant hole on one end of the things? But if you plug up the hole, you can't drink out of them. Thus, CUPS will always be vulnerable.

Re:First Post.

[hdparm]

I just love moderators when they waist points on crap that nobody's interested in, anyway. Get real and get a life - this is just Slashdot, for fuck sake.

Michael Sweet is that you?

If any one needs to pat themself on the back, it's you.

Re:First Post.

>this is just Slashdot, for fuck sake.

Yet you still get worked up about moderators wasting their points...

Re:please stop the SOVIET crap

In Soviet Cuba, we drive classic cars and are Naturally Thin!

Re:Am I Affected?

In this case, I agree. All Win2k machines should be print servers. They are perfectly suited to such tasks.

UNIX should be left to do the mission-critical tasks, those that require uptimes greater than 24 hours.

I found CUPS to be quite secure

For weeks, CUPS resisted repeated attempts to print from an NT4 client and a Win 2K client to a USB-attached HP LJ 2200 printer. CUPS successfully blocked all attempts to exploit the print capabilities of said device. I found it bulletproof. ;)

Re:I found CUPS to be quite secure

It's also idiot proof.

They should put a warning on Linux and Unix in general that says, "If you are an idiot, don't even think about installing this. This is meant for people who have half a mind, and actually understand what they want from their computer."

Go back to buying sub-par point-and-print bullshit.

Re:I found CUPS to be quite secure

[Zoolander]

Yeah, heaven forbid that we make it user-friendly, then I'd have to move to some other OS... ;) Ease of use and versatility don't have to be mutually exclusive, you know. What's wrong with point and print? I can think of few things less interesting than setting up printing. If I can get that fixed with a few clicks, then I would be very happy. Then I could move on to learning something interesting instead.

something else to keep your beverage in

[rabidcow]

Good thing I use MUGS.

I mean what use is a CUP with a HOLE in it?

Soviet sad man is saying:

i am sad that ... party finds YOU :*( !

Re:Secure? You wish.

[greening]

Well, my copy of of Gentoo linux (currently installed), FreeBSD (currently installed), and OpenBSD (currently installed) cost me nothing at all. Were as, my one little pathetic copy of Win2k (unfortunately, currently installed) cost me over $300. Sure, *NIX is a little harder to use (poor baby doesn't want to work/learn?) but, you get a more secure OS solution (especially with OpenBSD) for 0/50 the price of Windows.

People don't move to open source software because there are more lazy people in the world. Well, I'll stick to *NIX.

Plus, instead of having to hire a small amount of people to go through and try to find such large amounts of bugs (Windows), you get every programmer across the globe to look (those who know about your project of course) for free (open source).

Soviet sad man is saying:

i am sad that vulnerabilities expose YOU :*( !

Ho Hum

[archnerd]

Looks like another most-of-the-nighter upgrading CUPS, installing espgs because the version of cups I had installed didn't require it, recreating the configuration files that the @#$%^! installer just overwrite, and making the standard offerings to Cthulhu so the blasted thing will figure out where pstoraster is located. Of course, it will be my fault if someone manages to get a shell account on the router/firewall/printserver and proceeds to trash the read-writable netbios shares that my family is too lazy to set a password on. Isn't being a sysadmin great?

Re:Ho Hum

[Zigg]

Hmm. I like my Debian boxes. :-)

Re:Ho Hum

[archnerd]

Yup. But until I apt-get a life, I'm not parting from LFS :-)

"Slew?"

[printman]

OK, for folks that haven't read the advisory, a "slew" is apparently 9.

Of those 9, only *1* of the issues could possibly be used to gain root access, and it depends entirely on the CUPS release, compiler, etc. you use, and for the exploit to work remotely you have to change the default CUPS configuration.

Issue 6 was fixed back in CUPS 1.1.15 (released in June) and is old news.

All but one issue was fixed within a few hours of the report, and the current CUPS release (1.1.18) does not have any of these vulnerabilities.

This is so dumb

Why do daemons still run as root? All of these things should be running as unprivileged users, with lots of restrictions on what they can do. Processes need to be root to bind low ports? Then let's run these services on higher ports, or fix the kernel so any process can bind to lower ports. The unix "security model" is so brain-dead. The most dangerous input (stuff from the net) is handled at the highest privilege level (root). This is just idiotic.

Re:This is so dumb

[virtigex]

There's just no reason why this or many other servcies need to run as root. Consider Apache for example. Although started as root (needed to bind to port 80), it setuid's to a user of your choice after startup.

Re:This is so dumb

[beaubell]

root (needed to bind to port 80)...

Not.. If you run nsa's selinux

Re:This is so dumb

[Zigg]

Sounds like a job for systrace...

Bugs not found by accident

[Rat+Tank]

So these dangerous exploits were found by a source code review (as opposed to a script kiddy striking it lucky), which was only possible due to the open source nature of CUPS. Now that this advisory has taught hackers how to compromise a great many lunix machines, isn't it worth considering that CUPs would have been so much more secure had it been a closed source project? It's simple logic that only the most blatant troll could disagree with; source closed --> exploits never found --> hackers can't exploit CUPs.

Re:Bugs not found by accident

[archnerd]

Alright I'll feed the trolls.

> So these dangerous exploits were found by a source code review (as opposed to a script kiddy striking it lucky), which was only possible due to the open source nature of CUPS.

"Script kiddie striking it lucky"? Last I checked, script kiddies don't discover security holes. The let other people do that then download working exploits and once in a while one of them is simple enough to be operated without a brain.

> Now that this advisory has taught hackers how to compromise a great many lunix machines

Read the advisory. There's just the mention of the vulnerablity, no published exploit. Overlap the group of people capable of understanding the vulnerability and writing an exploit for it with the group of people who would waste their time doing so, and you're left with a very small number.

> isn't it worth considering that CUPs would have been so much more secure had it been a closed source project? It's simple logic that only the most blatant troll could disagree with; source closed --> exploits never found --> hackers can't exploit CUPs.

Reverse engineering? Cracking a machine that contain the source code? Intercepting communications between developers? Security through obscurity doesn't work, period. I can go on for days about that, but there are people far more articulate than I who would be happy to do so.

Re:Am I Affected?

[tres]

At first, I read your subject, Am I affected? and I thought to myself, "this guy must be stupid if he doesn't know whether this has an effect on him.

Then I read the first line, and it was crystal

I use Windows 2000 Server.

Funny, but I don't see 80% of the people posting in support of the crap posing as software coming out of Redmond.

And you--you've got to be AC to admit to using that shit, don't you?

Ugh!! Way too much in a holiday mode ...

[shri]

The first thing that came to my mind was the silly game Chandler and Joey played on Friends, when I read about CUPS. :)

A bug in PAPER

[PaddyM]

makes your root password VISIBLE by default when you print it out.

CUPS are not secure.

[AnonymousCowheard]

ceramic is so a thousand years ago...

aluminum mugs secure on coasters much better and they aren't vulnerable to breaking on a tile floor should you drop one.

Oh you mean Common Unix Printing System! My mistake...in a world of lpr and lpr-ng...oh them was fighting words!! I'll never walk the plank! Never!

Huh?

"Exploitation of multiple CUPS vulnerabilities"

Sounds more like a description of senior prom night

Or don't use CUPS

[0x0d0a]

I haven't been a fan of CUPS -- lprng or other alternatives might be a better choice.

Re:Or don't use CUPS

[ipjohnson]

FYI given enough time and enough circulation every software *WILL* have security vulnerabilities. I don't care who writes it or how many code reviews are held it will happen. So suggesting to switch to another package to avoid a fixable security flaw is stupid.

Now saying that there are some package that are more inherantly more secure than others (i.e qmail vs sendmail) but I don't think this is a case of that more your personal views clouding the issue.

-Ian

I'm not impressed

Coordinated - with Red Hat and Apple. No one told me, or (to my knowledge) Debian.

Which would explain why I'm reading patches at 2:30 am.

Jeff Licquia
Debian maintainer, cupsys (the CUPS packages for Debian)

Re:Secure? You wish.

You just stay in your own bitter little world. Have a nice life.

Note the dates of disclosure. A long time, eh?

[sanermind]

VIII. DISCLOSURE TIMELINE

10/27/2002 Initial discussion with contributor
11/14/2002 Final contributor submission
12/12/2002 CUPS author notified via e-mail to cups-support@cups.org
12/12/2002 iDEFENSE clients notified
12/12/2002 Response and preliminary patch received from
CUPS author Michael Sweet (mike@easysw.com)
12/12/2002 Apple, Linux Security List (vendor-sec@lst.de)
12/13/2002 Updated patch received from Michael Sweet
12/17/2002 Response received from Richard Blanchard
(rblanchard@apple.com)
12/19/2002 Coordinated Public Disclosure

That's almost a month and a half since the exploit was intially known, to when even the author of the package was informed; it was almost a month just for that! The general public got to know about this even later.

Maybe this is a good thing, but I wonder. Who had access to this dangerous knowledge while the rest of the world slept, unaware of their vulnerability to this. Sure, a truly secure setup wouldn't be running uncessary demons on anything important, but still...

Magic lantern, anyone?

Re:Note the dates of disclosure. A long time, eh?

[chabotc]

While this is true, it is also dangerous to release this info to quickly..

By releasing the info about what is exploitable and how, you make a hackers life really easy.. he no longer has to go thru all the code and try 2 find an exploitable hole. Now he only has to code an exploit and he's done. Thus they decided the vendors need time to fix their software!

On the other hand, a releasing this info after a N-timeframe presures the vendors into patching their software timely.

However, your question assumes that no one could find this vunerability _before_ this company did! Ofcource this is nonsence.. a hacker couldve found this exploitable code many months ago, and as long as he doesnt make it 'to' public, chances are no one will know about it..

Never, i repeat _never_ assume your software is 100% bug free and un-exploitable! A skilled hacker can find an exploit in almost all software given enough time!

The thing to keep in mind is that a hacker is also submited to the rules of economy, the more hacking into the target is worth, the more time he is willing on finding a way in. For most common servers, the worth is not so high (plenty of targets of similar value, so pick out the easy one..) For banks and alike, this doesn
t different ofcource ;-)

Re:Am I Affected?

if you use Windows 2000, you've got more security issues to worry about than CUPS.

Worst scenarios gain root privileges?

[LadyLucky]

Geez, be honest about it already.

The worst they can do is what ever they want to do, if they get root access. Say it like it is. An attacker can execute arbitrary code, get complete control over the machine. Security issues shouldn't be sugar coated like that.

Re:hmm.... yep.

[El+Dopa]

Yeah, it's covered in the OS X 10.2.3 update that was released last night (which also covers the recent fetchmail DOS issue).

If only the same standards were used...

If this were an MS vulnerability, I guarantee 383293298329832 posts filled with mostly "haha ms sux0rz". But since is a unix vulnerability, its all just "but its fixed now".

Re:... and you might be safe

"Might" is the key word. It would be naive to think this is the only vulnerability in your network. And it would be naive to think that all threats are outside your firewall. So, think of it in these terms: What would be the damage if an attacker were able, using other vulnerabilities, to obtain a position where he COULD exploit the CUPS vulnerability on one of your servers.

Where is Linux-Mandrake???

[MsGeek]

OK mes amis...I'm waiting for the official security update, and it ain't here yet! C'mon! Get on the stick, man! Debian, Red Hat and Apple have the update NOW, why do we have to fsckn wait???

I am seriously looking at paying my money and getting the newest version of Libranet. I am enjoying Mandrake 9 now but am getting very tired of waiting for packages getting onto urpmi. It took Linux-Mandrake two weeks to fix Samba, and that was a pretty important update.

Re:Where is Linux-Mandrake???

[Gothmolly]

Then fix it yourself, troll. There's nothing from stopping you from FTPing the source down, running ./configure, and running make install. Almost all OSS stuff is THAT easy these days.
If you're using OSS, you need to be able to work it, not just sit there and whine for updates.

Upside down?

Turn your cup over, the hole is supposed to be at the top.

Re:Am I Affected?

[CameronGary]

Printing is mission critical. I take care of printing where I work, and I can tell that people haved screamed when something has broken printing. Printing ranks right up there with email as a critical service.

One of my colleaques altered an NDS group which whacked printing for about 150 people. They took away all of his rights because of that.

Re:hmm.... yep.

[Creepy]

would that be the "printing improvements" thing mentioned?

I'd heard 10.2.3 was out, but I had a bunch of windows up that I wasn't willing to bring down until this morning, so I'm just getting the update now.

Re:Mac Users OK?

You are mistaken. Macs are OK now, but Mac Users are still far from OK and it's the same the world over....

OSS only for the techno-elite?

[txtracer]

There's nothing from stopping you from FTPing the source down, running ./configure, and running make install.[...]If you're using OSS, you need to be able to work it

Hey, what a great argument, I'll remember that the next time someone asks me if they should switch to Linux. "No, Linux is only for those who know how to program."

Re:OSS only for the techno-elite?

[kcurrie]

Typing "./configure ; make install" is hardly programming!

Re:OSS only for the techno-elite?

Shame. Because you're an idiot - you probably already speak their language.

Last Post!

[alpg]

The problems of business administration in general, and database management in
particular are much to difficult for people that think in IBMese, compounded
with sloppy english.
-- Edsger Dijkstra

- this post brought to you by the Automated Last Post Generator...