CUPS Security Vulnerabilities

Buck Naked writes "A slew of vulnerabilities was discovered in CUPS, from the advisory: 'Exploitation of multiple CUPS vulnerabilities allow local and remote attackers in the worst of the scenarios to gain root privileges...' The full advisory can be found at iDEFENSE."

Same shit, different daemon...

[norculf]

Common sense applies. The outside world doesn't need access to your printers, so firewall it and remember to patch it once in a while and you might be safe...

Thanks CowboyNeal and poster

[mao+che+minh]

While many might chime in here saying this story would be better suited on security sites, I for one just heard about it now. I also plugged about 3 vulnerabilities because of it.

Patches out, you can relax

[Erore]

http://www.cups.org/news.php?V87

Whew, I feel much safer now. It's always nice that someone feels ownership for the code, thus that someone takes quick action and fixes the problems. Thank you Michael Sweet for a great print system and quick action.

Vendor notes...

Michael Sweet [mike@easysw.com] of Easy Software Products said CUPS 1.1.18 will be released December 19, 2002 which addresses all of these issues (http://www.cups.org).

Mark J Cox (mjc@redhat.com) of Red Hat said the following:

"Red Hat Linux 7.3 and 8.0 ship with CUPS, however it is not enabled by default. We are currently working on producing erratum packages. When complete, these will be available along with our advisory. At the same time, users of the Red Hat Network will be able to update their systems
using the 'up2date' tool."

Richard Blanchard (rblanchard@apple.com) of Apple said the following:

"Affected Systems:
Mac OS X 10.2 - Mac OS X 10.2.2
Mac OS X Server 10.2 - Mac OS X Server 10.2.2

Mitigating Factors:

The described vulnerability can be remotely exploited only when Printer Sharing is enabled. Printer Sharing is not enabled by default on Mac OS X or Mac OS X Server.

Fixed in: Mac OS X 10.2.3 and Mac OS X Server 10.2.3"

Impressive List & Response

[goldid]

I'd just like to note how good the response is. The list of vulnerabilities is well stated and very complete. Furthermore, the time line of events is excellent and patching was superb and fast. My OS X box was patched before I even knew about the vulnerability. Thanks to iDEFENSE and zen-parse.

Re:Impressive List & Response

[zen+parse]

> How many people might've come to know about them in that time?

I would estimate that no more that 4 to 6 people had complete access to all of the problems before they were made public.

To the best of my knowlege none of these problems were ever exploited in the wild. (And if they were, as long as people patch their systems, they won't be.)

I found these problems by auditing the source, and not because of any rumors of active exploitation.

Open source software is sometimes considered to be more secure than closed source because you can see the source code.... the same reason other people say that it is less secure.

For being able to see the source code to make any difference at all, someone actually has to look at it, which doesn't appear to happen as often as either side claim does.

All it takes for a piece of software to be insecure is one exploitable problem, whether it is open or closed source.

What helps keep people secure is publicity that there is something wrong.

It's no use there being patches made available if nobody knows there was a problem... this article has probably done more for getting peoples boxes patched than all the security lists combined.

Anonymous Coward complained that it was a month between the holes being discovered and the patch being released... check out the problem's I found with the posterboy of open source in business, Netscape/Mozilla... 4 months to get some of them fixed... and when they released a buggy version and patched it 2 days later (or something like that) people actually CONGRATULATED THEM!!! Publicity over the bugs in Mozilla/Netscape was minimal to say the least...

Look at Code Red. Publicity caused that to be much less of a problem than it could've been.

The more exploits the 'bad guys' have, the more likely those exploits will be patched.

Having an exploit for a vulnerability that is patched on 99% of boxes is pretty much useless... distributing an exploit with your advisory isn't 'a neccessary evil', it's a bloody good idea.

A complete working script kiddie friendly exploit for every hole that is found should be given away, free of charge. Let the holes that people don't patch get exploited. If you know that within a day of a security advisory being released there will be an easy to use way for anyone in the world to use it against you, are you going to let your guard down?

-- zen-parse

CUPS is still the best solution

[jaymzter]

CUPS, as far as I'm concerned is the killer app for printing in the *nix world. And just like another poster mentioned, why on earth would someone not be firewalling their printer? So once again it comes down to the competency of the system administrator. As for the MS trolls out there who will use this as an excuse to pan OSS, I'd like to point out that at least with CUPS and projects like it we won't have to wait for the maintainers to admit there's a problem, and then wait a month or more for a fix. This is news only in that security vulnerabilities need to be dissemenated as widely as possible

Re:CUPS is still the best solution

[berzerke]

...why on earth would someone not be firewalling their printer?

In addition to the firewalling, cups can also be portwalled too (see http://www.spotswood-computer.net/portwalling.html for details on this concept). Make sure it's not listening on an internet interface (which it would by default). Assuming your internal interface is 192.168.1.1, comment out the lines

Port 80
Port 631

and replace them with

Listen 192.168.1.1:631
Listen 192.168.1.1:80

and restart the service. Warning: The cups init.d script in Mandrake (at least) will make changes to your configuration file, resulting in cups failing to start if you make the changes listed here. Edit the script and stop it from making the changes before you restart.

Mac Users OK

[mattvd]

From the linked article:

"Fixed in: Mac OS X 10.2.3 and Mac OS X Server 10.2.3"

Apple just released 10.2.3 today.

Not really news - CUPS vulnerabilities endemic

[commodoresloat]

CUPS have always had known vulnerabilities; they need them to operate effectively. What do you expect when you have a giant hole on one end of the things? But if you plug up the hole, you can't drink out of them. Thus, CUPS will always be vulnerable.

"Slew?"

[printman]

OK, for folks that haven't read the advisory, a "slew" is apparently 9.

Of those 9, only *1* of the issues could possibly be used to gain root access, and it depends entirely on the CUPS release, compiler, etc. you use, and for the exploit to work remotely you have to change the default CUPS configuration.

Issue 6 was fixed back in CUPS 1.1.15 (released in June) and is old news.

All but one issue was fixed within a few hours of the report, and the current CUPS release (1.1.18) does not have any of these vulnerabilities.

Re:What is CUPS, you ask?

[drinkypoo]

In general Unix systems have assumed postscript for printing anything other than fixed-width text, which with most older printers, especially character printers, can be done (with no styles mind you) by simply sending the text out the printer port in ASCII.

I really don't know where the dependence on postscript came from in the first place, but it definitely seems that that's how everything in the Unix world wants to print. I guess it was the most obfuscated language supported by lots of printers, so it was naturally desirable to the Unix crowd :) Also AFAIK PCL came a while after it, but maybe it's just that PCL got good enough to use much later.