CUPS < 1.1.23 Multiple Vulnerabilities

This script is Copyright (C) 2005-2014 George A. Theall


Synopsis :

The remote print service is affected by multiple vulnerabilities.

Description :

According to its banner, the version of CUPS installed on the remote
host is between 1.0.4 and 1.1.22 inclusive. Such versions are prone to
multiple vulnerabilities :

- A remotely exploitable buffer overflow in the 'hpgltops'
filter that enable specially crafted HPGL files can
execute arbitrary commands as the CUPS 'lp' account.

- A local user may be able to prevent anyone from changing
their password until a temporary copy of the new
password
file is cleaned up (lppasswd flaw).

- A local user may be able to add arbitrary content to the
password file by closing the stderr file descriptor
while running lppasswd (lppasswd flaw).

- A local attacker may be able to truncate the CUPS
password file, thereby denying service to valid clients
using digest authentication. (lppasswd flaw).

- The application applies ACLs to incoming print jobs in a
case-sensitive fashion. Thus, an attacker can bypass
restrictions by changing the case in printer names when
submitting jobs. [Fixed in 1.1.21.]

See also :

http://www.cups.org/str.php?L700
http://www.cups.org/str.php?L1024
http://www.cups.org/str.php?L1023

Solution :

Upgrade to CUPS 1.1.23 or later.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.2
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 16141 (cups_multiple_vulnerabilities.nasl)

Bugtraq ID: 11968
12004
12005
12007
12200
14265

CVE ID: CVE-2004-1267
CVE-2004-1268
CVE-2004-1269
CVE-2004-1270
CVE-2005-2874