Slashdot Mirror

← Back to Stories (view on slashdot.org)

CUPS Security Vulnerabilities

Posted by CowboyNeal on from the leaving-the-door-open dept.

Buck Naked writes "A slew of vulnerabilities was discovered in CUPS, from the advisory: 'Exploitation of multiple CUPS vulnerabilities allow local and remote attackers in the worst of the scenarios to gain root privileges...' The full advisory can be found at iDEFENSE."

20 of 155 comments (clear)

  1. Same shit, different daemon... by norculf · · Score: 5, Insightful

    Common sense applies. The outside world doesn't need access to your printers, so firewall it and remember to patch it once in a while and you might be safe...

  2. Thanks CowboyNeal and poster by mao+che+minh · · Score: 5, Insightful

    While many might chime in here saying this story would be better suited on security sites, I for one just heard about it now. I also plugged about 3 vulnerabilities because of it.

  3. Patches out, you can relax by Erore · · Score: 5, Informative

    http://www.cups.org/news.php?V87

    Whew, I feel much safer now. It's always nice that someone feels ownership for the code, thus that someone takes quick action and fixes the problems. Thank you Michael Sweet for a great print system and quick action.

  4. Vendor notes... by Anonymous Coward · · Score: 5, Informative


    Michael Sweet [mike@easysw.com] of Easy Software Products said CUPS 1.1.18 will be released December 19, 2002 which addresses all of these issues (http://www.cups.org).

    Mark J Cox (mjc@redhat.com) of Red Hat said the following:

    "Red Hat Linux 7.3 and 8.0 ship with CUPS, however it is not enabled by default. We are currently working on producing erratum packages. When complete, these will be available along with our advisory. At the same time, users of the Red Hat Network will be able to update their systems
    using the 'up2date' tool."

    Richard Blanchard (rblanchard@apple.com) of Apple said the following:

    "Affected Systems:
    Mac OS X 10.2 - Mac OS X 10.2.2
    Mac OS X Server 10.2 - Mac OS X Server 10.2.2

    Mitigating Factors:

    The described vulnerability can be remotely exploited only when Printer Sharing is enabled. Printer Sharing is not enabled by default on Mac OS X or Mac OS X Server.

    Fixed in: Mac OS X 10.2.3 and Mac OS X Server 10.2.3"

  5. Impressive List & Response by goldid · · Score: 4, Interesting

    I'd just like to note how good the response is. The list of vulnerabilities is well stated and very complete. Furthermore, the time line of events is excellent and patching was superb and fast. My OS X box was patched before I even knew about the vulnerability. Thanks to iDEFENSE and zen-parse.

    1. Re:Impressive List & Response by zen+parse · · Score: 4, Insightful

      > How many people might've come to know about them in that time?

      I would estimate that no more that 4 to 6 people had complete access to all of the problems before they were made public.

      To the best of my knowlege none of these problems were ever exploited in the wild. (And if they were, as long as people patch their systems, they won't be.)

      I found these problems by auditing the source, and not because of any rumors of active exploitation.

      Open source software is sometimes considered to be more secure than closed source because you can see the source code.... the same reason other people say that it is less secure.

      For being able to see the source code to make any difference at all, someone actually has to look at it, which doesn't appear to happen as often as either side claim does.

      All it takes for a piece of software to be insecure is one exploitable problem, whether it is open or closed source.

      What helps keep people secure is publicity that there is something wrong.

      It's no use there being patches made available if nobody knows there was a problem... this article has probably done more for getting peoples boxes patched than all the security lists combined.

      Anonymous Coward complained that it was a month between the holes being discovered and the patch being released... check out the problem's I found with the posterboy of open source in business, Netscape/Mozilla... 4 months to get some of them fixed... and when they released a buggy version and patched it 2 days later (or something like that) people actually CONGRATULATED THEM!!! Publicity over the bugs in Mozilla/Netscape was minimal to say the least...

      Look at Code Red. Publicity caused that to be much less of a problem than it could've been.

      The more exploits the 'bad guys' have, the more likely those exploits will be patched.

      Having an exploit for a vulnerability that is patched on 99% of boxes is pretty much useless... distributing an exploit with your advisory isn't 'a neccessary evil', it's a bloody good idea.

      A complete working script kiddie friendly exploit for every hole that is found should be given away, free of charge. Let the holes that people don't patch get exploited. If you know that within a day of a security advisory being released there will be an easy to use way for anyone in the world to use it against you, are you going to let your guard down?

      -- zen-parse

  6. CUPS is still the best solution by jaymzter · · Score: 5, Insightful

    CUPS, as far as I'm concerned is the killer app for printing in the *nix world. And just like another poster mentioned, why on earth would someone not be firewalling their printer? So once again it comes down to the competency of the system administrator. As for the MS trolls out there who will use this as an excuse to pan OSS, I'd like to point out that at least with CUPS and projects like it we won't have to wait for the maintainers to admit there's a problem, and then wait a month or more for a fix. This is news only in that security vulnerabilities need to be dissemenated as widely as possible

    --
    If thou see a fair woman pay court to her, for thus thou wilt obtain love
    1. Re:CUPS is still the best solution by berzerke · · Score: 5, Informative

      ...why on earth would someone not be firewalling their printer?



      In addition to the firewalling, cups can also be portwalled too (see http://www.spotswood-computer.net/portwalling.html for details on this concept). Make sure it's not listening on an internet interface (which it would by default). Assuming your internal interface is 192.168.1.1, comment out the lines

      Port 80
      Port 631
      and replace them with
      Listen 192.168.1.1:631
      Listen 192.168.1.1:80
      and restart the service. Warning: The cups init.d script in Mandrake (at least) will make changes to your configuration file, resulting in cups failing to start if you make the changes listed here. Edit the script and stop it from making the changes before you restart.

  7. Mac Users OK by mattvd · · Score: 5, Informative
    From the linked article:
    "Fixed in: Mac OS X 10.2.3 and Mac OS X Server 10.2.3"
    Apple just released 10.2.3 today.
  8. Whew! by DoctorPhish · · Score: 3, Funny

    I sure am glad I removed CUPS from my mom's debian box before I moved out last week (and took my firewall with me). I still think printing is the worst thing about unix in general (and about GNOME in particular...), but CUPS was relatively easy to set up. Sounds like it needs a serious security audit, though.

    1. Re:Whew! by friedmud · · Score: 3, Interesting

      Please don't take this as trolling....

      But have you seen KDE's print menu/system?? It works directly with cups and is actually easier to use than even MS's printer installer.

      KDE 3.1 improved things even more, and now the whole system is very sweet. Give it a try.

      Derek

    2. Re:Whew! by printman · · Score: 3, Informative

      Um, CUPS has been audited about a dozen times now by various vendors. The last such audit was conducted almost a year and a half ago and was the source of the last security advisory for CUPS. Yes, that's right, no advisories in a year and a half...

      We take security very seriously, and as soon as something comes to our attention (either internally or externally), we release a fix ASAP. This latest advisory exposed some integer overflows (previous ones were buffer overflow/DoS only) which could be used to gain access to the (unpriviledged) "lp" account, and in one case root access (but that required a local attack or a change in the default configuration for a remote attack...

      After the report we went through all of the related code as well to determine if there were any other problem spots like those reported; we found and fixed a few in the image file filters (which could only get you "lp" access anyways, one of the reasons we don't run everything as root like old LPD did...)

      Security advisories like this only improve the quality and "safety" of the CUPS code, and we welcome all reviews, criticisms, etc. - user/developer feedback has been the driving force behind CUPS development.

      --
      I print, therefore I am.
  9. Lets see ... by johnlcallaway · · Score: 3, Funny

    ... do I use this ... uh ... no.

    OK, I'm done.

    Wish Windoze security updates were this easy......

    --
    I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
  10. CUPS by rockwood · · Score: 3, Funny
    An exploitation recently discovered in CUPS has globally rocked and baffled the scientific industry.

    It appears that a vulnerability has been found whereby a malicious user can covertly attach a second string to the midsection of the two originating CUPS and 'tap' into the communication between CUP "A" and CUP "B".

    Furthermore, said user can attach a third CUP to the end of his/her string and receive a secondary branch off of all data vibrating bwteen the two original CUPS.

    Saavy users can then vocally mimic the voice data being picked up and assume the identity of either CUP "A" or CUP "B".

    Agency around the world have been placed on full alert as they scramble for a patch to this unforseen security hole!

    --
    Never try to beat a professional at his own game!
  11. Not really news - CUPS vulnerabilities endemic by commodoresloat · · Score: 5, Funny

    CUPS have always had known vulnerabilities; they need them to operate effectively. What do you expect when you have a giant hole on one end of the things? But if you plug up the hole, you can't drink out of them. Thus, CUPS will always be vulnerable.

  12. something else to keep your beverage in by rabidcow · · Score: 3, Funny

    Good thing I use MUGS.

    I mean what use is a CUP with a HOLE in it?

  13. "Slew?" by printman · · Score: 5, Informative

    OK, for folks that haven't read the advisory, a "slew" is apparently 9.

    Of those 9, only *1* of the issues could possibly be used to gain root access, and it depends entirely on the CUPS release, compiler, etc. you use, and for the exploit to work remotely you have to change the default CUPS configuration.

    Issue 6 was fixed back in CUPS 1.1.15 (released in June) and is old news.

    All but one issue was fixed within a few hours of the report, and the current CUPS release (1.1.18) does not have any of these vulnerabilities.

    --
    I print, therefore I am.
  14. Ugh!! Way too much in a holiday mode ... by shri · · Score: 3, Funny

    The first thing that came to my mind was the silly game Chandler and Joey played on Friends, when I read about CUPS. :)

  15. Re:What is CUPS, you ask? by drinkypoo · · Score: 4, Informative
    In general Unix systems have assumed postscript for printing anything other than fixed-width text, which with most older printers, especially character printers, can be done (with no styles mind you) by simply sending the text out the printer port in ASCII.

    I really don't know where the dependence on postscript came from in the first place, but it definitely seems that that's how everything in the Unix world wants to print. I guess it was the most obfuscated language supported by lots of printers, so it was naturally desirable to the Unix crowd :) Also AFAIK PCL came a while after it, but maybe it's just that PCL got good enough to use much later.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  16. Re:Where is Linux-Mandrake??? by Gothmolly · · Score: 3, Insightful

    Then fix it yourself, troll. There's nothing from stopping you from FTPing the source down, running ./configure, and running make install. Almost all OSS stuff is THAT easy these days.
    If you're using OSS, you need to be able to work it, not just sit there and whine for updates.

    --
    I want to delete my account but Slashdot doesn't allow it.