The remote Ubuntu 16.04 ESM / 18.04 ESM host has packages installed that are affected by a vulnerability as referenced in the USN-6184-2 advisory.
httpClose(con->http)
being called in scheduler/client.c
. The problem is that httpClose always, provided its argument is not null, frees the pointer at the end of the call, only for cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function cupsdAcceptClient
if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address (HostNameLookups Double is set in cupsd.conf
) which fails to resolve, or if CUPS is compiled with TCP wrappers and the connection is refused by rules from /etc/hosts.allow
and /etc/hosts.deny
. Version 2.4.6 has a patch for this issue. (CVE-2023-34241)Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6184-2. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##
include('compat.inc');
if (description)
{
script_id(178326);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/17");
script_cve_id("CVE-2023-34241");
script_xref(name:"USN", value:"6184-2");
script_name(english:"Ubuntu 16.04 ESM / 18.04 ESM : CUPS vulnerability (USN-6184-2)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 ESM / 18.04 ESM host has packages installed that are affected by a vulnerability as referenced
in the USN-6184-2 advisory.
- OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like
operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to
the logging service AFTER the connection has been closed, when it should have logged the data right
before. This is a use-after-free bug that impacts the entire cupsd process. The exact cause of this issue
is the function `httpClose(con->http)` being called in `scheduler/client.c`. The problem is that httpClose
always, provided its argument is not null, frees the pointer at the end of the call, only for
cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient`
if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address
(HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP
wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`. Version
2.4.6 has a patch for this issue. (CVE-2023-34241)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6184-2");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-34241");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/06/22");
script_set_attribute(attribute:"patch_publication_date", value:"2023/07/17");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/07/17");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:esm");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:esm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cups");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cups-bsd");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cups-client");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cups-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cups-core-drivers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cups-daemon");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cups-ipp-utils");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cups-ppdc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cups-server-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcups2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcups2-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupscgi1");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupscgi1-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsimage2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsimage2-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsmime1");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsmime1-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsppdc1");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsppdc1-dev");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release || '18.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var pkgs = [
{'osver': '16.04', 'pkgname': 'cups', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '16.04', 'pkgname': 'cups-bsd', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '16.04', 'pkgname': 'cups-client', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '16.04', 'pkgname': 'cups-common', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '16.04', 'pkgname': 'cups-core-drivers', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '16.04', 'pkgname': 'cups-daemon', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '16.04', 'pkgname': 'cups-ipp-utils', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '16.04', 'pkgname': 'cups-ppdc', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '16.04', 'pkgname': 'cups-server-common', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '16.04', 'pkgname': 'libcups2', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '16.04', 'pkgname': 'libcups2-dev', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '16.04', 'pkgname': 'libcupscgi1', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '16.04', 'pkgname': 'libcupscgi1-dev', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '16.04', 'pkgname': 'libcupsimage2', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '16.04', 'pkgname': 'libcupsimage2-dev', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '16.04', 'pkgname': 'libcupsmime1', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '16.04', 'pkgname': 'libcupsmime1-dev', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '16.04', 'pkgname': 'libcupsppdc1', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '16.04', 'pkgname': 'libcupsppdc1-dev', 'pkgver': '2.1.3-4ubuntu0.11+esm3'},
{'osver': '18.04', 'pkgname': 'cups', 'pkgver': '2.2.7-1ubuntu2.10+esm1'},
{'osver': '18.04', 'pkgname': 'cups-bsd', 'pkgver': '2.2.7-1ubuntu2.10+esm1'},
{'osver': '18.04', 'pkgname': 'cups-client', 'pkgver': '2.2.7-1ubuntu2.10+esm1'},
{'osver': '18.04', 'pkgname': 'cups-common', 'pkgver': '2.2.7-1ubuntu2.10+esm1'},
{'osver': '18.04', 'pkgname': 'cups-core-drivers', 'pkgver': '2.2.7-1ubuntu2.10+esm1'},
{'osver': '18.04', 'pkgname': 'cups-daemon', 'pkgver': '2.2.7-1ubuntu2.10+esm1'},
{'osver': '18.04', 'pkgname': 'cups-ipp-utils', 'pkgver': '2.2.7-1ubuntu2.10+esm1'},
{'osver': '18.04', 'pkgname': 'cups-ppdc', 'pkgver': '2.2.7-1ubuntu2.10+esm1'},
{'osver': '18.04', 'pkgname': 'cups-server-common', 'pkgver': '2.2.7-1ubuntu2.10+esm1'},
{'osver': '18.04', 'pkgname': 'libcups2', 'pkgver': '2.2.7-1ubuntu2.10+esm1'},
{'osver': '18.04', 'pkgname': 'libcups2-dev', 'pkgver': '2.2.7-1ubuntu2.10+esm1'},
{'osver': '18.04', 'pkgname': 'libcupscgi1', 'pkgver': '2.2.7-1ubuntu2.10+esm1'},
{'osver': '18.04', 'pkgname': 'libcupsimage2', 'pkgver': '2.2.7-1ubuntu2.10+esm1'},
{'osver': '18.04', 'pkgname': 'libcupsimage2-dev', 'pkgver': '2.2.7-1ubuntu2.10+esm1'},
{'osver': '18.04', 'pkgname': 'libcupsmime1', 'pkgver': '2.2.7-1ubuntu2.10+esm1'},
{'osver': '18.04', 'pkgname': 'libcupsppdc1', 'pkgver': '2.2.7-1ubuntu2.10+esm1'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var osver = NULL;
var pkgname = NULL;
var pkgver = NULL;
if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
if (osver && pkgname && pkgver) {
if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : ubuntu_report_get()
);
exit(0);
}
else
{
var tested = ubuntu_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cups / cups-bsd / cups-client / cups-common / cups-core-drivers / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | cups | p-cpe:/a:canonical:ubuntu_linux:cups |
canonical | ubuntu_linux | libcupsimage2 | p-cpe:/a:canonical:ubuntu_linux:libcupsimage2 |
canonical | ubuntu_linux | libcupsimage2-dev | p-cpe:/a:canonical:ubuntu_linux:libcupsimage2-dev |
canonical | ubuntu_linux | cups-bsd | p-cpe:/a:canonical:ubuntu_linux:cups-bsd |
canonical | ubuntu_linux | cups-client | p-cpe:/a:canonical:ubuntu_linux:cups-client |
canonical | ubuntu_linux | cups-common | p-cpe:/a:canonical:ubuntu_linux:cups-common |
canonical | ubuntu_linux | cups-ppdc | p-cpe:/a:canonical:ubuntu_linux:cups-ppdc |
canonical | ubuntu_linux | libcups2 | p-cpe:/a:canonical:ubuntu_linux:libcups2 |
canonical | ubuntu_linux | libcups2-dev | p-cpe:/a:canonical:ubuntu_linux:libcups2-dev |
canonical | ubuntu_linux | libcupscgi1 | p-cpe:/a:canonical:ubuntu_linux:libcupscgi1 |