The check_permission_v1 function in base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.9 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process.

The remote host is affected by the vulnerability described in GLSA-201406-27 (polkit, Spice-Gtk, systemd, HPLIP, libvirt: Privilege escalation)

    polkit has a race condition which potentially allows a process to change       its UID/EUID via suid or pkexec before authentication is completed.
  Impact :

    A local attacker could start a suid or pkexec process through a       polkit-enabled application, which could result in privilege escalation or       bypass of polkit restrictions.
  Workaround :

    There is no known workaround at this time.

the following security issue was fixed for HPLIP 3.13.10: usage of an insecure polkit DBUS API (fix for bnc#836937 and CVE-2013-4325 that are related to CVE-2013-4288 and bnc#835827).

hplip was updated to fix three security issues :

  - Some local file overwrite problems via predictable /tmp     filenames were fixed. (CVE-2013-0200)

  - hplip used an insecure polkit DBUS API (polkit-process     subject race condition) which could lead to local     privilege escalation. (CVE-2013-4325)

  - hplip uses arbitrary file creation/overwrite (via     hard-coded file name /tmp/hp-pkservice.log).
    (CVE-2013-6402)

Multiple vulnerabilities have been found in the HP Linux Printing and Imaging System: Insecure temporary files, insufficient permission checks in PackageKit and the insecure hp-upgrade service has been disabled.

This update brings in the latest upstream release and fixes a security issue with the way polkit is used for authentication.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New hplip packages are available for Slackware 13.1, 13.37, 14.0, and
-current to fix security issues.

Updated polkit packages fix security vulnerability :

A race condition was found in the way the PolicyKit pkcheck utility checked process authorization when the process was specified by its process ID via the --process option. A local user could use this flaw to bypass intended PolicyKit authorizations and escalate their privileges (CVE-2013-4288).

Note: Applications that invoke pkcheck with the --process option need to be modified to use the pid,pid-start-time,uid argument for that option, to allow pkcheck to check process authorization correctly.

Because of the change in the PolicyKit API, hplip (CVE-2013-4325), rtkit (CVE-2013-4326), and systemd (CVE-2013-4327) packages have been updated to use a different API that is not affected by this PolicyKit vulnerability.

HPLIP communicated with PolicyKit for authorization via a D-Bus API that is vulnerable to a race condition. This could lead to intended PolicyKit authorizations being bypassed. This update modifies HPLIP to communicate with PolicyKit via a different API that is not vulnerable to the race condition. (CVE-2013-4325)

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2013:1274 advisory.

  - hplip: Insecure calling of polkit (CVE-2013-4325)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

From Red Hat Security Advisory 2013:1274 :

Updated hplip packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The hplip packages contain the Hewlett-Packard Linux Imaging and Printing Project (HPLIP), which provides drivers for Hewlett-Packard printers and multi-function peripherals.

HPLIP communicated with PolicyKit for authorization via a D-Bus API that is vulnerable to a race condition. This could lead to intended PolicyKit authorizations being bypassed. This update modifies HPLIP to communicate with PolicyKit via a different API that is not vulnerable to the race condition. (CVE-2013-4325)

All users of hplip are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.

Updated hplip packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The hplip packages contain the Hewlett-Packard Linux Imaging and Printing Project (HPLIP), which provides drivers for Hewlett-Packard printers and multi-function peripherals.

HPLIP communicated with PolicyKit for authorization via a D-Bus API that is vulnerable to a race condition. This could lead to intended PolicyKit authorizations being bypassed. This update modifies HPLIP to communicate with PolicyKit via a different API that is not vulnerable to the race condition. (CVE-2013-4325)

All users of hplip are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.

It was discovered that HPLIP was using polkit in an unsafe manner. A local attacker could possibly use this issue to bypass intended polkit authorizations.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
76271	GLSA-201406-27 : polkit, Spice-Gtk, systemd, HPLIP, libvirt: Privilege escalation	Nessus	Gentoo Local Security Checks	high
75183	openSUSE Security Update : hplip (openSUSE-SU-2013:1617-1)	Nessus	SuSE Local Security Checks	high
72277	SuSE 11.2 / 11.3 Security Update : hplip (SAT Patch Numbers 8775 / 8777)	Nessus	SuSE Local Security Checks	medium
71769	Debian DSA-2829-1 : hplip - several vulnerabilities	Nessus	Debian Local Security Checks	medium
70504	Fedora 18 : hplip-3.13.9-2.fc18 (2013-17112)	Nessus	Fedora Local Security Checks	medium
70500	Slackware 13.1 / 13.37 / 14.0 / current : hplip (SSA:2013-291-01)	Nessus	Slackware Local Security Checks	medium
70356	Fedora 20 : hplip-3.13.9-2.fc20 (2013-17171)	Nessus	Fedora Local Security Checks	medium
70185	Mandriva Linux Security Advisory : polkit (MDVSA-2013:243)	Nessus	Mandriva Local Security Checks	high
70014	Scientific Linux Security Update : hplip on SL6.x i386/x86_64 (20130919)	Nessus	Scientific Linux Local Security Checks	medium
70013	RHEL 6 : hplip (RHSA-2013:1274)	Nessus	Red Hat Local Security Checks	high
70009	Oracle Linux 6 : hplip (ELSA-2013-1274)	Nessus	Oracle Linux Local Security Checks	medium
70003	Fedora 19 : hplip-3.13.9-2.fc19 (2013-17127)	Nessus	Fedora Local Security Checks	medium
70001	CentOS 6 : hplip (CESA-2013:1274)	Nessus	CentOS Local Security Checks	medium
69974	Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.04 : hplip vulnerability (USN-1956-1)	Nessus	Ubuntu Local Security Checks	medium

Detections

Analytics

CVE-2013-4325

high

Tenable Plugins

high

high

medium

medium

medium

medium

medium

high

medium

high

medium

medium

medium

medium