https://bugs.chromium.org/p/project-zero/issues/detail?id=1048

https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41

[debian-lts-announce] 20180222 [SECURITY] [DLA 1288-1] cups security update

[debian-lts-announce] 20180703 [SECURITY] [DLA 1412-1] cups security update

USN-3577-1

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has cups packages installed that are affected by multiple vulnerabilities:

  - A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Mojave     10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. An attacker in a     privileged network position may be able to execute arbitrary code. (CVE-2019-8675, CVE-2019-8696)

  - A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows     remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in     conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither     the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).
    (CVE-2017-18190)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3864 advisory.

  - cups: DNS rebinding attacks via incorrect whitelist (CVE-2017-18190)

  - cups: stack-buffer-overflow in libcups's asn1_get_type function (CVE-2019-8675)

  - cups: stack-buffer-overflow in libcups's asn1_get_packed function (CVE-2019-8696)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2020-1506 advisory.

  - A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows     remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in     conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither     the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).
    (CVE-2017-18190)

  - A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Mojave     10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. An attacker in a     privileged network position may be able to execute arbitrary code. (CVE-2019-8675, CVE-2019-8696)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Security Fix(es) :

  - cups: DNS rebinding attacks via incorrect whitelist     (CVE-2017-18190)

  - cups: stack-buffer-overflow in libcups's asn1_get_type     function (CVE-2019-8675)

  - cups: stack-buffer-overflow in libcups's asn1_get_packed     function (CVE-2019-8696)

The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:3864 advisory.

  - cups: DNS rebinding attacks via incorrect whitelist (CVE-2017-18190)

  - cups: stack-buffer-overflow in libcups's asn1_get_type function (CVE-2019-8675)

  - cups: stack-buffer-overflow in libcups's asn1_get_packed function (CVE-2019-8696)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-3864 advisory.

  - A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows     remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in     conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither     the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).
    (CVE-2017-18190)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the cups package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A cross-site scripting flaw was found in the cups web     templating engine. An attacker could use this flaw to     bypass the default configuration settings that bind the     CUPS scheduler to the 'localhost' or loopback     interface.(CVE-2015-1159)

  - It was discovered that CUPS allowed certain users to     create symbolic links in certain directories under     /var/cache/cups/. A local user with the 'lp' group     privileges could use this flaw to read the contents of     arbitrary files on the system or, potentially, escalate     their privileges on the system.(CVE-2014-5031)

  - A string reference count bug was found in cupsd,     causing premature freeing of string objects. An     attacker could submit a malicious print job that     exploits this flaw to dismantle ACLs protecting     privileged operations, allowing a replacement     configuration file to be uploaded, which in turn     allowed the attacker to run arbitrary code on the CUPS     server.(CVE-2015-1158)

  - A cross-site scripting (XSS) flaw was found in the CUPS     web interface. An attacker could use this flaw to     perform a cross-site scripting attack against users of     the CUPS web interface.(CVE-2014-2856)

  - A localhost.localdomain whitelist entry in valid_host()     in scheduler/client.c in CUPS before 2.2.2 allows     remote attackers to execute arbitrary IPP commands by     sending POST requests to the CUPS daemon in conjunction     with DNS rebinding. The localhost.localdomain name is     often resolved via a DNS server (neither the OS nor the     web browser is responsible for ensuring that     localhost.localdomain is 127.0.0.1).(CVE-2017-18190)

  - It was discovered that CUPS allowed certain users to     create symbolic links in certain directories under     /var/cache/cups/. A local user with the 'lp' group     privileges could use this flaw to read the contents of     arbitrary files on the system or, potentially, escalate     their privileges on the system.(CVE-2014-5030)

  - It was discovered that CUPS allowed certain users to     create symbolic links in certain directories under     /var/cache/cups/. A local user with the 'lp' group     privileges could use this flaw to read the contents of     arbitrary files on the system or, potentially, escalate     their privileges on the system.(CVE-2014-3537)

  - An integer overflow flaw, leading to a heap-based     buffer overflow, was found in the way CUPS handled     compressed raster image files. An attacker could create     a specially crafted image file that, when passed via     the CUPS Raster filter, could cause the CUPS filter to     crash.(CVE-2014-9679)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the cups package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - CUPS printing system provides a portable printing layer     for UNIXA(r) operating systems. It has been developed by     Apple Inc.to promote a standard printing solution for     all UNIX vendors and users.CUPS provides the System V     and Berkeley command-line interfaces.

  - Security fix(es):

  - A localhost.localdomain whitelist entry in valid_host()     in scheduler/client.c in CUPS before 2.2.2 allows     remote attackers to execute arbitrary IPP commands by     sending POST requests to the CUPS daemon in conjunction     with DNS rebinding. The localhost.localdomain name is     often resolved via a DNS server (neither the OS nor the     web browser is responsible for ensuring that     localhost.localdomain is 127.0.0.1).(CVE-2017-18190)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Two vulnerabilities affecting the cups printing server were found which can lead to arbitrary IPP command execution and denial of service.

CVE-2017-18190

A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).

CVE-2017-18248

The add_job function in scheduler/ipp.c in CUPS before 2.2.6, when D-Bus support is enabled, can be crashed by remote attackers by sending print jobs with an invalid username, related to a D-Bus notification.

For Debian 8 'Jessie', these problems have been fixed in version 1.7.5-11+deb8u3.

We recommend that you upgrade your cups packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the cups packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - CUPS printing system provides a portable printing layer     for UNIXA(r) operating systems. It has been developed by     Apple Inc.to promote a standard printing solution for     all UNIX vendors and users.CUPS provides the System V     and Berkeley command-line interfaces.

  - Security fix(es):

  - A localhost.localdomain whitelist entry in valid_host()     in scheduler/client.c in CUPS before 2.2.2 allows     remote attackers to execute arbitrary IPP commands by     sending POST requests to the CUPS daemon in conjunction     with DNS rebinding. The localhost.localdomain name is     often resolved via a DNS server (neither the OS nor the     web browser is responsible for ensuring that     localhost.localdomain is 127.0.0.1).(CVE-2017-18190)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for cups fixes the following issues :

  - CVE-2017-18190: Removed localhost.localdomain from list     of trustworthy hosts in scheduler/client.c to avoid     arbitrary IPP command execution in conjunction with DNS     rebinding. (bsc#1081557)

This update was imported from the SUSE:SLE-12:Update update project.

This update for cups fixes the following issues :

  - CVE-2017-18190: Removed localhost.localdomain from list     of trustworthy hosts in scheduler/client.c to avoid     arbitrary IPP command execution in conjunction with DNS     rebinding. (bsc#1081557)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that there was an issue in the CUPS printer framework where remote attackers could execute arbitrary commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. This was caused by a whitelisted 'localhost.localdomain' entry.

For Debian 7 'Wheezy', this issue has been fixed in cups version 1.5.3-5+deb7u7.

We recommend that you upgrade your cups packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jann Horn discovered that CUPS permitted HTTP requests with the Host header set to 'localhost.localdomain' from the loopback interface. If a user were tricked in to opening a specially crafted website in their web browser, an attacker could potentially exploit this to obtain sensitive information or control printers, via a DNS rebinding attack.
(CVE-2017-18190).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
147300	NewStart CGSL CORE 5.04 / MAIN 5.04 : cups Multiple Vulnerabilities (NS-SA-2021-0022)	Nessus	NewStart CGSL Local Security Checks	high
143068	RHEL 7 : cups (RHSA-2020:3864)	Nessus	Red Hat Local Security Checks	high
141996	Amazon Linux 2 : cups (ALAS-2020-1506)	Nessus	Amazon Linux Local Security Checks	high
141746	Scientific Linux Security Update : cups on SL7.x x86_64 (20201001)	Nessus	Scientific Linux Local Security Checks	high
141611	CentOS 7 : cups (CESA-2020:3864)	Nessus	CentOS Local Security Checks	high
141234	Oracle Linux 7 : cups (ELSA-2020-3864)	Nessus	Oracle Linux Local Security Checks	high
124935	EulerOS Virtualization 3.0.1.0 : cups (EulerOS-SA-2019-1432)	Nessus	Huawei Local Security Checks	high
118417	EulerOS Virtualization 2.5.0 : cups (EulerOS-SA-2018-1329)	Nessus	Huawei Local Security Checks	high
110909	Debian DLA-1412-1 : cups security update	Nessus	Debian Local Security Checks	high
109478	EulerOS 2.0 SP2 : cups (EulerOS-SA-2018-1080)	Nessus	Huawei Local Security Checks	high
109477	EulerOS 2.0 SP1 : cups (EulerOS-SA-2018-1079)	Nessus	Huawei Local Security Checks	high
107180	openSUSE Security Update : cups (openSUSE-2018-225)	Nessus	SuSE Local Security Checks	high
107141	SUSE SLED12 / SLES12 Security Update : cups (SUSE-SU-2018:0604-1)	Nessus	SuSE Local Security Checks	high
106953	Debian DLA-1288-1 : cups security update	Nessus	Debian Local Security Checks	high
106929	Ubuntu 14.04 LTS / 16.04 LTS : cups vulnerability (USN-3577-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2017-18190

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high