CUPS < 1.3.10 Multiple Vulnerabilities

This script is Copyright (C) 2009-2014 Tenable Network Security, Inc.


Synopsis :

The remote printer service is affected by multiple vulnerabilities.

Description :

According to its banner, the version of CUPS installed on the remote
host is earlier than 1.3.10. Such versions are affected by several
issues :

- A potential integer overflow in the PNG image validation
code in '_cupsImageReadPNG()' could allow an attacker to
crash the affected service or possibly execute arbitrary
code. (STR #2974)

- A heap-based integer overflow exists in
'_cupsImageReadTIFF()' due to a failure to properly
validate the image height of a specially crafted TIFF
file, which can be leveraged to execute arbitrary code.
(STR #3031)

- The web interface may be vulnerable to DNS rebinding
attacks due to a failure to validate the HTTP Host
header in incoming requests. (STR #3118)

- A heap-based buffer overflow in pdftops allows remote
attackers to execute arbitrary code via a PDF file with
crafted JBIG2 symbol dictionary segments.
(CVE-2009-0195)

- Flawed 'ip' structure initialization in the function
'ippReadIO()' could allow an anonymous remote attacker
to crash the application via a malicious IPP request
packet with two consecutives IPP_TAG_UNSUPPORTED tags.
(CVE-2009-0949)

See also :

http://www.cups.org/str.php?L2974
http://www.cups.org/str.php?L3031
http://www.cups.org/str.php?L3118
http://secunia.com/secunia_research/2009-18/
http://www.coresecurity.com/content/AppleCUPS-null-pointer-vulnerability
http://www.securityfocus.com/archive/1/504032/30/0/threaded
http://www.cups.org/articles.php?L582

Solution :

Upgrade to CUPS version 1.3.10 or later.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.2
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 36183 (cups_1_3_10.nasl)

Bugtraq ID: 32518
34571
34665
34791
35169

CVE ID: CVE-2008-5286
CVE-2009-0163
CVE-2009-0164
CVE-2009-0195
CVE-2009-0949