CUPS Remote Command Execution via Shellshock

Critical Nessus Plugin ID 79804

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 9.6

Synopsis

The remote printer service is affected by a remote command execution vulnerability via Shellshock.

Description

The remote host appears to be running CUPS with the web-based interface enabled. A remote attacker can exploit CUPS to execute arbitrary commands via crafted fields during the creation or modification of a printer. The 'PRINTER_INFO' and 'PRINTER_LOCATION' fields can be configured to contain arbitrary commands which will be executed when a print job is submitted, provided the remote host is running a vulnerable version of Bash.

This plugin attempts to exploit this flaw by using user-supplied credentials to access the CUPS server and create a printer, then submitting a print request.

Solution

Apply the referenced Bash patch.

See Also

http://seclists.org/oss-sec/2014/q3/650

http://www.nessus.org/u?dacf7829

https://www.invisiblethreat.ca/post/shellshock/

Plugin Details

Severity: Critical

ID: 79804

File Name: cups_bash_rce.nbin

Version: 1.63

Type: remote

Family: Misc.

Published: 2014/12/08

Updated: 2021/01/15

Dependencies: 10107

Risk Information

Risk Factor: Critical

VPR Score: 9.6

CVSS Score Source: CVE-2014-7169

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:apple:cups, cpe:/a:gnu:bash

Required KB Items: www/cups

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2014/09/26

Vulnerability Publication Date: 2014/09/24

Exploitable With

Core Impact

Metasploit (Qmail SMTP Bash Environment Variable Injection (Shellshock))

Reference Information

CVE: CVE-2014-6271, CVE-2014-7169

BID: 70103, 70137

CERT: 252743

EDB-ID: 34765, 34766, 34777

IAVA: 2014-A-0142