Common UNIX Printing System IPP Tags Memory Corruption Vulnerability

The Common UNIX Printing System (CUPS) versions 1.3.3 and prior contain a vulnerability that can allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or execute arbitrary code with the privileges of the user.

The vulnerability exists in the ippReadIO() function when processing Internet Printing Protocol (IPP) tags. The function causes an off-by-one error when allocating space. An unauthenticated, remote attacker could send a request with crafted tags to overwrite one byte on the stack with a zero. The attacker could crash the daemon or possibly execute arbitrary code.

The vendor has confirmed this vulnerability in release notes and released an updated version.

The vulnerability requires the attacker to connect to the IPP TCP port to perform an attack. However, the default configuration of CUPS does not allow remote hosts to connect to this port. This configuration should mitigate the potential for this attack. IT departments that deploy and use CUPS without changing the default configuration may not be at risk.

The severity of the impact will vary depending on the system on which CUPS is deployed. If this system is used for multiple services, a DoS condition could cause other services besides the CUPS service to crash, which may affect other users and departments.

If code execution is accomplished, it will most likely be in the context of the CUPS user. This user probably has limited privileges.