Slashdot Mirror

← Back to Stories (view on slashdot.org)

CUPS Security Vulnerabilities

Posted by CowboyNeal on from the leaving-the-door-open dept.

Buck Naked writes "A slew of vulnerabilities was discovered in CUPS, from the advisory: 'Exploitation of multiple CUPS vulnerabilities allow local and remote attackers in the worst of the scenarios to gain root privileges...' The full advisory can be found at iDEFENSE."

10 of 155 comments (clear)

  1. Patches out, you can relax by Erore · · Score: 5, Informative

    http://www.cups.org/news.php?V87

    Whew, I feel much safer now. It's always nice that someone feels ownership for the code, thus that someone takes quick action and fixes the problems. Thank you Michael Sweet for a great print system and quick action.

  2. Vendor notes... by Anonymous Coward · · Score: 5, Informative


    Michael Sweet [mike@easysw.com] of Easy Software Products said CUPS 1.1.18 will be released December 19, 2002 which addresses all of these issues (http://www.cups.org).

    Mark J Cox (mjc@redhat.com) of Red Hat said the following:

    "Red Hat Linux 7.3 and 8.0 ship with CUPS, however it is not enabled by default. We are currently working on producing erratum packages. When complete, these will be available along with our advisory. At the same time, users of the Red Hat Network will be able to update their systems
    using the 'up2date' tool."

    Richard Blanchard (rblanchard@apple.com) of Apple said the following:

    "Affected Systems:
    Mac OS X 10.2 - Mac OS X 10.2.2
    Mac OS X Server 10.2 - Mac OS X Server 10.2.2

    Mitigating Factors:

    The described vulnerability can be remotely exploited only when Printer Sharing is enabled. Printer Sharing is not enabled by default on Mac OS X or Mac OS X Server.

    Fixed in: Mac OS X 10.2.3 and Mac OS X Server 10.2.3"

  3. Mac Users OK by mattvd · · Score: 5, Informative
    From the linked article:
    "Fixed in: Mac OS X 10.2.3 and Mac OS X Server 10.2.3"
    Apple just released 10.2.3 today.
    1. Re:Mac Users OK by BJH · · Score: 2, Informative

      Apple switched to CUPS in Jaguar - earlier releases don't contain it.

  4. "Slew?" by printman · · Score: 5, Informative

    OK, for folks that haven't read the advisory, a "slew" is apparently 9.

    Of those 9, only *1* of the issues could possibly be used to gain root access, and it depends entirely on the CUPS release, compiler, etc. you use, and for the exploit to work remotely you have to change the default CUPS configuration.

    Issue 6 was fixed back in CUPS 1.1.15 (released in June) and is old news.

    All but one issue was fixed within a few hours of the report, and the current CUPS release (1.1.18) does not have any of these vulnerabilities.

    --
    I print, therefore I am.
  5. Re:Lets see ... by MattCohn.com · · Score: 2, Informative

    Really. Because I just happened to look in my system tray today and saw an icon. I double clicked this icon which said "Updates have been downloaded. Click 'Install' to install them'.

    I clicked, browsed slashdot a little, and in a minute or two it told me it was done.

    ...

    ...
    Yah, that wasn't too hard.

  6. Re:What is CUPS, you ask? by drinkypoo · · Score: 4, Informative
    In general Unix systems have assumed postscript for printing anything other than fixed-width text, which with most older printers, especially character printers, can be done (with no styles mind you) by simply sending the text out the printer port in ASCII.

    I really don't know where the dependence on postscript came from in the first place, but it definitely seems that that's how everything in the Unix world wants to print. I guess it was the most obfuscated language supported by lots of printers, so it was naturally desirable to the Unix crowd :) Also AFAIK PCL came a while after it, but maybe it's just that PCL got good enough to use much later.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  7. Re:CUPS is still the best solution by berzerke · · Score: 5, Informative

    ...why on earth would someone not be firewalling their printer?



    In addition to the firewalling, cups can also be portwalled too (see http://www.spotswood-computer.net/portwalling.html for details on this concept). Make sure it's not listening on an internet interface (which it would by default). Assuming your internal interface is 192.168.1.1, comment out the lines

    Port 80
    Port 631
    and replace them with
    Listen 192.168.1.1:631
    Listen 192.168.1.1:80
    and restart the service. Warning: The cups init.d script in Mandrake (at least) will make changes to your configuration file, resulting in cups failing to start if you make the changes listed here. Edit the script and stop it from making the changes before you restart.

  8. Re:Same shit, different daemon... by zen+parse · · Score: 2, Informative

    At least one of these is exploitable via a url... I think that was mentioned somewhere in the advisory. (If not, that is what the remote method is, so you know.)

    If you get an email with a specially constructed image link in it, or visit a website with that url, you can be remotely exploited... it ignores the firewall because it is you doing the connecting to it. (Can even put every possible address you might have a printer on your LAN into a page, with every possible offset... or at least the most likely ones... too many malformed connections, and your daemon dies... remote denial of service maybe?)

    Filtering connections to port 631 in mozilla/netscape would protect you from this, but it would also stop you being able to use the administration via http features of CUPS, which gives you the proverbial choice between dancing elephants and security, it seems.

    Overview:

    You MUST patch it to be protected. Firewalling also won't protect you from malicious local users getting root, and it won't stop you being hacked by yourself.

  9. Re:Whew! by printman · · Score: 3, Informative

    Um, CUPS has been audited about a dozen times now by various vendors. The last such audit was conducted almost a year and a half ago and was the source of the last security advisory for CUPS. Yes, that's right, no advisories in a year and a half...

    We take security very seriously, and as soon as something comes to our attention (either internally or externally), we release a fix ASAP. This latest advisory exposed some integer overflows (previous ones were buffer overflow/DoS only) which could be used to gain access to the (unpriviledged) "lp" account, and in one case root access (but that required a local attack or a change in the default configuration for a remote attack...

    After the report we went through all of the related code as well to determine if there were any other problem spots like those reported; we found and fixed a few in the image file filters (which could only get you "lp" access anyways, one of the reasons we don't run everything as root like old LPD did...)

    Security advisories like this only improve the quality and "safety" of the CUPS code, and we welcome all reviews, criticisms, etc. - user/developer feedback has been the driving force behind CUPS development.

    --
    I print, therefore I am.