The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.
cups: stack-buffer-overflow in libcups’s asn1_get_packed function (CVE-2019-8696)
A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).
(CVE-2017-18190)
In macOS High Sierra before 10.13.5, an issue existed in CUPS. This issue was addressed with improved access restrictions. (CVE-2018-4180, CVE-2018-4181)
The session cookie generated by the CUPS web interface was easy to guess on Linux, allowing unauthorized scripted access to the web interface when the web interface is enabled. This issue affected versions prior to v2.2.10. (CVE-2018-4300)
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-4300. Reason: This candidate is a duplicate of CVE-2018-4300. Notes: All CVE users should reference CVE-2018-4300 instead of this candidate.
All references and descriptions in this candidate have been removed to prevent accidental usage (CVE-2018-4700)
A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. An attacker in a privileged network position may be able to execute arbitrary code. (CVE-2019-8675)
An input validation issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave. A malicious application may be able to read restricted memory. (CVE-2020-10001)
A memory corruption issue was addressed with improved validation. This issue is fixed in macOS Catalina 10.15.4. An application may be able to gain elevated privileges. (CVE-2020-3898)
A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version 2.3.3op2-2.1 and prior versions. (CVE-2021-25317)
OpenPrinting CUPS is an open source printing system. In versions 2.4.2 and prior, a heap buffer overflow vulnerability would allow a remote attacker to launch a denial of service (DoS) attack. A buffer overflow vulnerability in the function format_log_line
could allow remote attackers to cause a DoS on the affected system. Exploitation of the vulnerability can be triggered when the configuration file cupsd.conf
sets the value of loglevel
to DEBUG
. No known patches or workarounds exist at time of publication. (CVE-2023-32324)
An authentication issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.7.7, macOS Monterey 12.6.6, macOS Ventura 13.4. An unauthenticated user may be able to access recently printed documents. (CVE-2023-32360)
OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data right before. This is a use-after-free bug that impacts the entire cupsd process. The exact cause of this issue is the function httpClose(con->http)
being called in scheduler/client.c
. The problem is that httpClose always, provided its argument is not null, frees the pointer at the end of the call, only for cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function cupsdAcceptClient
if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address (HostNameLookups Double is set in cupsd.conf
) which fails to resolve, or if CUPS is compiled with TCP wrappers and the connection is refused by rules from /etc/hosts.allow
and /etc/hosts.deny
. Version 2.4.6 has a patch for this issue. (CVE-2023-34241)
Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory cups. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(196342);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");
script_cve_id(
"CVE-2017-18190",
"CVE-2018-4180",
"CVE-2018-4181",
"CVE-2018-4300",
"CVE-2018-4700",
"CVE-2019-8675",
"CVE-2019-8696",
"CVE-2020-3898",
"CVE-2020-10001",
"CVE-2021-25317",
"CVE-2023-32324",
"CVE-2023-32360",
"CVE-2023-34241"
);
script_name(english:"RHEL 6 : cups (Unpatched Vulnerability)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 6 host is affected by multiple vulnerabilities that will not be patched.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.
- cups: stack-buffer-overflow in libcups's asn1_get_packed function (CVE-2019-8696)
- A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows
remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in
conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither
the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).
(CVE-2017-18190)
- In macOS High Sierra before 10.13.5, an issue existed in CUPS. This issue was addressed with improved
access restrictions. (CVE-2018-4180, CVE-2018-4181)
- The session cookie generated by the CUPS web interface was easy to guess on Linux, allowing unauthorized
scripted access to the web interface when the web interface is enabled. This issue affected versions prior
to v2.2.10. (CVE-2018-4300)
- Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-4300. Reason: This candidate is a
duplicate of CVE-2018-4300. Notes: All CVE users should reference CVE-2018-4300 instead of this candidate.
All references and descriptions in this candidate have been removed to prevent accidental usage
(CVE-2018-4700)
- A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Mojave
10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. An attacker in a
privileged network position may be able to execute arbitrary code. (CVE-2019-8675)
- An input validation issue was addressed with improved memory handling. This issue is fixed in macOS Big
Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave. A malicious application may
be able to read restricted memory. (CVE-2020-10001)
- A memory corruption issue was addressed with improved validation. This issue is fixed in macOS Catalina
10.15.4. An application may be able to gain elevated privileges. (CVE-2020-3898)
- A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server
11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows
local attackers with control of the lp users to create files as root with 0644 permissions without the
ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions
prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups
versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version
2.3.3op2-2.1 and prior versions. (CVE-2021-25317)
- OpenPrinting CUPS is an open source printing system. In versions 2.4.2 and prior, a heap buffer overflow
vulnerability would allow a remote attacker to launch a denial of service (DoS) attack. A buffer overflow
vulnerability in the function `format_log_line` could allow remote attackers to cause a DoS on the
affected system. Exploitation of the vulnerability can be triggered when the configuration file
`cupsd.conf` sets the value of `loglevel `to `DEBUG`. No known patches or workarounds exist at time of
publication. (CVE-2023-32324)
- An authentication issue was addressed with improved state management. This issue is fixed in macOS Big Sur
11.7.7, macOS Monterey 12.6.6, macOS Ventura 13.4. An unauthenticated user may be able to access recently
printed documents. (CVE-2023-32360)
- OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like
operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to
the logging service AFTER the connection has been closed, when it should have logged the data right
before. This is a use-after-free bug that impacts the entire cupsd process. The exact cause of this issue
is the function `httpClose(con->http)` being called in `scheduler/client.c`. The problem is that httpClose
always, provided its argument is not null, frees the pointer at the end of the call, only for
cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient`
if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address
(HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP
wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`. Version
2.4.6 has a patch for this issue. (CVE-2023-34241)
Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8696");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cups");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'pkgs': [
{'reference':'cups', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'cups'}
]
}
];
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
foreach var pkg ( constraint_array['pkgs'] ) {
var unpatched_pkg = NULL;
var _release = NULL;
var sp = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (unpatched_pkg &&
_release &&
(!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : unpatched_packages_report()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cups');
}
Vendor | Product | Version | CPE |
---|---|---|---|
redhat | enterprise_linux | 5 | cpe:/o:redhat:enterprise_linux:5 |
redhat | enterprise_linux | 6 | cpe:/o:redhat:enterprise_linux:6 |
redhat | enterprise_linux | 7 | cpe:/o:redhat:enterprise_linux:7 |
redhat | enterprise_linux | cups | p-cpe:/a:redhat:enterprise_linux:cups |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18190
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4180
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4181
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4300
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4700
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8675
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8696
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10001
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3898
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25317
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32324
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32360
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34241