CUPS stores user account details in plain text in log file

2004-11-19T00:00:00
ID VU:557062
Type cert
Reporter CERT
Modified 2004-12-17T00:00:00

Description

Overview

When an SMB printer is configured, CUPS stores plain text login information to the log file.

Description

CUPS is a cross-platform printing system for UNIX environments. It can use the IPP, LPD, SMB, and JetDirect protocols to interact with printers. The SMB protocol is used to communicate with printers that are shared via Microsoft Windows or other SMB-compatible software such as Samba. When an SMB printer is added or modified, the connection string for the printer is written to the log file in plain text. This connection string will contain a username and password if authentication is required for the printer.


Impact

A local authenticated user may be able to retrieve the usernames and passwords for other accounts.


Solution

Apply a patch from your vendor

For vendor-specific information regarding vulnerable status and patch availability, please see the Systems Affected section of this document.


Upgrade your version of CUPS

This issue is resolved in CUPS 1.1.22rc1. Starting with this version, the connection string for the printer is sanitized so that it does not contain sensitive information.

Restrict access to the CUPS log file

By default, the CUPS log file is world-readable. Access to the CUPS log file can be restricted by setting the LogFilePerm option in cupsd.conf to "0600"

Do not use authenticated printing to Windows via Samba

Because of the possibility of disclosing sensitive information when using a printer shared via SMB, it is suggested to use other protocols such as LPD. Windows can function as an LPD server when Print Services for UNIX is installed.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Debian| | 04 Oct 2004| 18 Oct 2004
MandrakeSoft| | 04 Oct 2004| 22 Oct 2004
Hitachi| | 04 Oct 2004| 08 Oct 2004
NETBSD| | 04 Oct 2004| 05 Oct 2004
BSDI| | 04 Oct 2004| 04 Oct 2004
Conectiva| | 04 Oct 2004| 04 Oct 2004
Cray Inc.| | 04 Oct 2004| 04 Oct 2004
EMC Corporation| | 04 Oct 2004| 04 Oct 2004
Engarde| | 04 Oct 2004| 04 Oct 2004
F5 Networks| | 04 Oct 2004| 04 Oct 2004
FreeBSD| | 04 Oct 2004| 04 Oct 2004
Fujitsu| | 04 Oct 2004| 04 Oct 2004
Hewlett-Packard Company| | 04 Oct 2004| 04 Oct 2004
IBM| | 04 Oct 2004| 04 Oct 2004
IBM-zSeries| | 04 Oct 2004| 04 Oct 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://www.securitytracker.com/alerts/2004/Oct/1011529.html>
  • <http://secunia.com/advisories/12736/>
  • <http://fedoranews.org/updates/FEDORA-2004-331.shtml>
  • <http://www.cups.org/ssr.html>

Credit

Thanks to Gary Smith for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CAN-2004-0923
  • Date Public: 05 Oct 2004
  • Date First Published: 19 Nov 2004
  • Date Last Updated: 17 Dec 2004
  • Severity Metric: 5.06
  • Document Revision: 17