The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3476 advisory.
httpClose(con->http)
being called in scheduler/client.c
. The problem is that httpClose always, provided its argument is not null, frees the pointer at the end of the call, only for cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function cupsdAcceptClient
if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address (HostNameLookups Double is set in cupsd.conf
) which fails to resolve, or if CUPS is compiled with TCP wrappers and the connection is refused by rules from /etc/hosts.allow
and /etc/hosts.deny
. Version 2.4.6 has a patch for this issue. (CVE-2023-34241)Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-3476. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(177890);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/03");
script_cve_id("CVE-2023-34241");
script_name(english:"Debian DLA-3476-1 : cups - LTS security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing a security-related update.");
script_set_attribute(attribute:"description", value:
"The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3476
advisory.
- OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like
operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to
the logging service AFTER the connection has been closed, when it should have logged the data right
before. This is a use-after-free bug that impacts the entire cupsd process. The exact cause of this issue
is the function `httpClose(con->http)` being called in `scheduler/client.c`. The problem is that httpClose
always, provided its argument is not null, frees the pointer at the end of the call, only for
cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient`
if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address
(HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP
wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`. Version
2.4.6 has a patch for this issue. (CVE-2023-34241)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/cups");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/lts/security/2023/dla-3476");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-34241");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/buster/cups");
script_set_attribute(attribute:"solution", value:
"Upgrade the cups packages.
For Debian 10 buster, this problem has been fixed in version 2.2.10-6+deb10u8.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-34241");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/06/22");
script_set_attribute(attribute:"patch_publication_date", value:"2023/06/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/07/03");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-bsd");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-client");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-core-drivers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-daemon");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-ipp-utils");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-ppdc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-server-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcups2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcups2-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupsimage2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupsimage2-dev");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(10)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '10.0', 'prefix': 'cups', 'reference': '2.2.10-6+deb10u8'},
{'release': '10.0', 'prefix': 'cups-bsd', 'reference': '2.2.10-6+deb10u8'},
{'release': '10.0', 'prefix': 'cups-client', 'reference': '2.2.10-6+deb10u8'},
{'release': '10.0', 'prefix': 'cups-common', 'reference': '2.2.10-6+deb10u8'},
{'release': '10.0', 'prefix': 'cups-core-drivers', 'reference': '2.2.10-6+deb10u8'},
{'release': '10.0', 'prefix': 'cups-daemon', 'reference': '2.2.10-6+deb10u8'},
{'release': '10.0', 'prefix': 'cups-ipp-utils', 'reference': '2.2.10-6+deb10u8'},
{'release': '10.0', 'prefix': 'cups-ppdc', 'reference': '2.2.10-6+deb10u8'},
{'release': '10.0', 'prefix': 'cups-server-common', 'reference': '2.2.10-6+deb10u8'},
{'release': '10.0', 'prefix': 'libcups2', 'reference': '2.2.10-6+deb10u8'},
{'release': '10.0', 'prefix': 'libcups2-dev', 'reference': '2.2.10-6+deb10u8'},
{'release': '10.0', 'prefix': 'libcupsimage2', 'reference': '2.2.10-6+deb10u8'},
{'release': '10.0', 'prefix': 'libcupsimage2-dev', 'reference': '2.2.10-6+deb10u8'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var _release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (_release && prefix && reference) {
if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cups / cups-bsd / cups-client / cups-common / cups-core-drivers / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
debian | debian_linux | 10.0 | cpe:/o:debian:debian_linux:10.0 |
debian | debian_linux | cups | p-cpe:/a:debian:debian_linux:cups |
debian | debian_linux | cups-bsd | p-cpe:/a:debian:debian_linux:cups-bsd |
debian | debian_linux | cups-client | p-cpe:/a:debian:debian_linux:cups-client |
debian | debian_linux | cups-common | p-cpe:/a:debian:debian_linux:cups-common |
debian | debian_linux | cups-ppdc | p-cpe:/a:debian:debian_linux:cups-ppdc |
debian | debian_linux | libcups2 | p-cpe:/a:debian:debian_linux:libcups2 |
debian | debian_linux | libcups2-dev | p-cpe:/a:debian:debian_linux:libcups2-dev |
debian | debian_linux | libcupsimage2 | p-cpe:/a:debian:debian_linux:libcupsimage2 |
debian | debian_linux | libcupsimage2-dev | p-cpe:/a:debian:debian_linux:libcupsimage2-dev |