CUPS print service is vulnerable to privilege escalation and cross-site scripting

Overview

CUPS implements the Internet Printing Protocol (IPP) for UNIX-derived operating systems. Various versions of CUPS are vulnerable to a privilege escalation due to a memory management error.

Description

CWE-911**: Improper Update of Reference Count -**CVE-2015-1158

An issue with how localized strings are handled in cupsd allows a reference counter to over-decrement when handling certain print job request errors. As a result, an attacker can prematurely free an arbitrary string of global scope, creating a dangling pointer to a repurposed block of memory on the heap. The dangling pointer causes ACL verification to fail when parsing 'admin/conf' and ``'admin' ACLs. The ACL handling failure results in unrestricted access to privileged operations, allowing an unauthenticated remote user to upload a replacement CUPS configuration file and mount further attacks.

This vulnerability was introduced in CUPS 1.2.0, released in 2006. All major versions of CUPS from 1.2 to 2.0 are vulnerable. This vulnerability is exploitable by default and without any special permissions other than the ability to send a print job request.

CWE-79**: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) -**CVE-2015-1159

A cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web._ _In certain cases, the CGI template can echo user input to file rather than escaping the text first. This may be used to set up a reflected XSS attack in the QUERY parameter of the web interface help page. By default, many linux distributions run with the web interface activated; OS X has the web interface deactivated by default.

The CVSS score below is based on CVE-2015-1158.

---

Impact

CVE-2015-1158 may allow a remote unauthenticated attacker access to privileged operations on the CUPS server. CVE-2015-1159 may allow an attacker to execute arbitrary javascript in a user’s browser.

---

Solution

Apply an update

A patch addressing these issues has been released for all supported versions of CUPS. For the version 2.0 branch (the latest release), 2.0.3 contains the patch. Affected users are encouraged to update as soon as possible.

---

Vendor Information

810572

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Affected

Notified: May 06, 2015 Updated: May 08, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project __ Affected

Notified: May 08, 2015 Updated: June 10, 2015

Statement Date: June 10, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

FreeBSD ships with CUPS in ports tree and was therefore affected.

An update was done on Jun 9 22:15:48 2015 UTC (r389006).

SUSE Linux __ Affected

Notified: May 08, 2015 Updated: June 10, 2015

Statement Date: June 10, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

SLE 12 is affected and will receive an update soon.
SLE 11 is affected and will receive an update soon.

Vendor References

• <https://bugzilla.suse.com/show_bug.cgi?id=924208&gt;

openSUSE project __ Affected

Notified: May 08, 2015 Updated: June 10, 2015

Statement Date: June 10, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

openSUSE 13.1 and 13.2 are affected and will receive updates soon.

Vendor References

• <https://bugzilla.opensuse.org/show_bug.cgi?id=924208&gt;

CentOS Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Debian GNU/Linux Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DesktopBSD Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DragonFly BSD Project Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

EMC Corporation Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

F5 Networks, Inc. Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fedora Project Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Gentoo Linux Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hewlett-Packard Company Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hitachi Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM eServer Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Juniper Networks Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Mandriva S. A. Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NetBSD Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nokia Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OmniTI Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OpenBSD Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Openwall GNU/*/Linux Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Oracle Corporation Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

QNX Software Systems Inc. Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Red Hat, Inc. Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Slackware Linux Inc. Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sony Corporation Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Turbolinux Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ubuntu Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Unisys Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

m0n0wall Unknown

Notified: May 08, 2015 Updated: May 08, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 32 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base	9.3	AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal	7.3	E:POC/RL:OF/RC:C
Environmental	5.5	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

• <http://www.cups.org/blog.php?L1082+I0+Q&gt;
• <https://www.cups.org/str.php?L4609&gt;

Acknowledgements

This document was written by Garret Wassermann.

Other Information

CVE IDs:	CVE-2015-1158, CVE-2015-1159
Date Public:	2015-06-08 Date First Published: