The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of CUPS

computer vulnerability bulletin CVE-2017-18248

CUPS: denial of service via Invalid UTF-8 Username

Synthesis of the vulnerability

An attacker can generate a fatal error via Invalid UTF-8 Username of CUPS, in order to trigger a denial of service.
Impacted products: CUPS, Debian, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 27/03/2018.
Identifiers: 5143, CVE-2017-18248, DLA-1387-1, DLA-1412-1, openSUSE-SU-2018:2239-1, SUSE-SU-2018:2162-1, USN-3713-1, VIGILANCE-VUL-25658.

Description of the vulnerability

An attacker can generate a fatal error via Invalid UTF-8 Username of CUPS, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2015-3258 CVE-2015-3279

CUPS: buffer overflow of texttopdf

Synthesis of the vulnerability

An attacker can generate a buffer overflow in texttopdf of CUPS, in order to trigger a denial of service, and possibly to execute code.
Impacted products: CUPS, Debian, Fedora, openSUSE, RHEL, Ubuntu.
Severity: 2/4.
Consequences: privileged access/rights, denial of service on server, denial of service on service.
Provenance: user account.
Number of vulnerabilities in this bulletin: 2.
Creation date: 29/06/2015.
Identifiers: 1235385, CVE-2015-3258, CVE-2015-3279, DSA-3303-1, FEDORA-2015-11163, FEDORA-2015-11192, openSUSE-SU-2015:1244-1, RHSA-2015:2360-01, USN-2659-1, VIGILANCE-VUL-17249.

Description of the vulnerability

The CUPS product includes a tool to convert raw text to PDF.

When generating the PDF header, in the function "WriteProlog", a buffer size is computed from the number of lines and columns of text. However, if the specified size is too small, an invalid buffer size is used and an overflow will happen when generating pages.

An attacker can therefore generate a buffer overflow in texttopdf of CUPS, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 17082

CUPS: endless loop in the handling of compressed files

Synthesis of the vulnerability

An attacker can generate an infinite loop in the handling of compressed files in CUPS, in order to trigger a denial of service.
Impacted products: CUPS.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: user shell.
Creation date: 09/06/2015.
Identifiers: 4602, VIGILANCE-VUL-17082.

Description of the vulnerability

CUPS us a printing management system for Unix platforms.

It can receive file to be printed in Gzip compressed form. However, the Gzip format is not well checked and one kind of ill formed file leads to an endless loop.

An attacker can therefore generate an infinite loop in the handling of compressed files in CUPS, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2015-1158

CUPS: privilege escalation via the dynamic linker

Synthesis of the vulnerability

An attacker can bypass access restrictions to administrative functions of CUPS, in order to escalate his privileges.
Impacted products: CUPS, Debian, Fedora, Junos Space, openSUSE, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: user shell.
Creation date: 08/06/2015.
Revision date: 09/06/2015.
Identifiers: 4609, CERTFR-2015-AVI-431, CVE-2015-1158, DSA-3283-1, FEDORA-2015-9726, FEDORA-2015-9801, JSA10702, openSUSE-SU-2015:1056-1, RHSA-2015:1123-01, SSA:2015-188-01, SUSE-SU-2015:1011-1, SUSE-SU-2015:1041-1, SUSE-SU-2015:1044-1, SUSE-SU-2015:1044-2, USN-2629-1, VIGILANCE-VUL-17079, VU#810572.

Description of the vulnerability

CUPS us a printing management system for Unix platforms.

It includes a Web interface, used for instance to submit print jobs. However, ill formed requests with more than one "nameWithLanguage" attributes lead to the ability to override a configuration file. This allows the attacker to modify the environment of launched programs with SetEnv commands, and so, via LD_PRELOAD variables, to make launched programs load and run external code compiled as shared object.

An attacker can therefore bypass access restrictions to administrative functions of CUPS, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2014-8166

CUPS: code execution via ANSI Sequence

Synthesis of the vulnerability

An attacker can inject malicious ANSI sequences in CUPS, in order to execute code.
Impacted products: CUPS.
Severity: 2/4.
Consequences: user access/rights.
Provenance: user account.
Creation date: 24/03/2015.
Identifiers: CVE-2014-8166, VIGILANCE-VUL-16450.

Description of the vulnerability

Several extensions on ANSI sequences can have an impact on security (VIGILANCE-VUL-3355).

However, the CUPS service does not filter ANSI sequences. An attacker can thus inject ANSI escape sequences, which are interpreted by the shell terminal.

An attacker can therefore inject malicious ANSI sequences in CUPS, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2014-9679

CUPS: buffer overflow of cupsRasterReadPixels

Synthesis of the vulnerability

An attacker can generate a buffer overflow in the cupsRasterReadPixels() function of CUPS, in order to trigger a denial of service, and possibly to execute code.
Impacted products: CUPS, Debian, Fedora, openSUSE, Solaris, RHEL, Ubuntu.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights, denial of service on service.
Provenance: document.
Creation date: 10/02/2015.
Identifiers: bulletinapr2016, CVE-2014-9679, DSA-3172-1, FEDORA-2015-2127, FEDORA-2015-2152, MDVSA-2015:049, MDVSA-2015:108, openSUSE-SU-2015:0381-1, RHSA-2015:1123-01, USN-2520-1, VIGILANCE-VUL-16157.

Description of the vulnerability

The CUPS product offers the libcupsimage library, which provides functions to manipulate raster images.

The cupsRasterReadPixels() function reads a pixel from a raster image. However, if the size of data is greater than the size of the storage array, an overflow occurs.

An attacker can therefore generate a buffer overflow in the cupsRasterReadPixels() function of CUPS, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2014-3566

SSL 3.0: decrypting session, POODLE

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can decrypt a SSL 3.0 session, in order to obtain sensitive information.
Impacted products: SES, SNS, Apache httpd, Arkoon FAST360, ArubaOS, Asterisk Open Source, BES, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, GAiA, CheckPoint IP Appliance, IPSO, SecurePlatform, CheckPoint Security Appliance, CheckPoint Security Gateway, Cisco ASR, Cisco ACE, ASA, AsyncOS, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, IronPort Email, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco PRSM, Cisco Router, WebNS, Clearswift Email Gateway, Clearswift Web Gateway, CUPS, Debian, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiGate, FortiGate Virtual Appliance, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, F-Secure AV, hMailServer, HPE BSM, HP Data Protector, HPE NNMi, HP Operations, ProCurve Switch, SiteScope, HP Switch, TippingPoint IPS, HP-UX, AIX, Domino, Notes, Security Directory Server, SPSS Data Collection, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, IVE OS, Juniper J-Series, Junos OS, Junos Space, Junos Space Network Management Platform, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, McAfee Email and Web Security, McAfee Email Gateway, ePO, VirusScan, McAfee Web Gateway, IE, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows (platform) ~ not comprehensive, Windows RT, Windows Vista, NETASQ, NetBSD, NetScreen Firewall, ScreenOS, nginx, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Oracle DB, Oracle Fusion Middleware, Oracle Identity Management, Oracle OIT, Solaris, Tuxedo, WebLogic, Palo Alto Firewall PA***, PAN-OS, Polycom CMA, HDX, RealPresence Collaboration Server, RealPresence Distributed Media Application, Polycom VBP, Postfix, SSL protocol, Puppet, RHEL, JBoss EAP by Red Hat, RSA Authentication Manager, ROS, ROX, RuggedSwitch, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu, Unix (platform) ~ not comprehensive, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, WinSCP.
Severity: 3/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Creation date: 15/10/2014.
Identifiers: 10923, 1589583, 1595265, 1653364, 1657963, 1663874, 1687167, 1687173, 1687433, 1687604, 1687611, 1690160, 1690185, 1690342, 1691140, 1692551, 1695392, 1696383, 1699051, 1700706, 2977292, 3009008, 7036319, aid-10142014, AST-2014-011, bulletinapr2015, bulletinjan2015, bulletinjan2016, bulletinjul2015, bulletinjul2016, bulletinoct2015, c04486577, c04487990, c04492722, c04497114, c04506802, c04510230, c04567918, c04616259, c04626982, c04676133, c04776510, CERTFR-2014-ALE-007, CERTFR-2014-AVI-454, CERTFR-2014-AVI-509, CERTFR-2015-AVI-169, CERTFR-2016-AVI-303, cisco-sa-20141015-poodle, cpujul2017, CTX216642, CVE-2014-3566, DSA-3053-1, DSA-3253-1, DSA-3489-1, ESA-2014-178, ESA-2015-098, ESXi500-201502001, ESXi500-201502101-SG, ESXi510-201503001, ESXi510-201503001-SG, ESXi510-201503101-SG, ESXi550-201501001, ESXi550-201501101-SG, FEDORA-2014-12989, FEDORA-2014-12991, FEDORA-2014-13012, FEDORA-2014-13017, FEDORA-2014-13040, FEDORA-2014-13069, FEDORA-2014-13070, FEDORA-2014-13444, FEDORA-2014-13451, FEDORA-2014-13764, FEDORA-2014-13777, FEDORA-2014-13781, FEDORA-2014-13794, FEDORA-2014-14234, FEDORA-2014-14237, FEDORA-2014-15379, FEDORA-2014-15390, FEDORA-2014-15411, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2015-9090, FEDORA-2015-9110, FreeBSD-SA-14:23.openssl, FSC-2014-8, HPSBGN03256, HPSBGN03305, HPSBGN03332, HPSBHF03156, HPSBHF03300, HPSBMU03152, HPSBMU03184, HPSBMU03213, HPSBMU03416, HPSBUX03162, HPSBUX03194, JSA10656, MDVSA-2014:203, MDVSA-2014:218, MDVSA-2015:062, NetBSD-SA2014-015, nettcp_advisory, openSUSE-SU-2014:1331-1, openSUSE-SU-2014:1384-1, openSUSE-SU-2014:1395-1, openSUSE-SU-2014:1426-1, openSUSE-SU-2016:0640-1, openSUSE-SU-2016:1586-1, openSUSE-SU-2017:0980-1, PAN-SA-2014-0005, POODLE, RHSA-2014:1652-01, RHSA-2014:1653-01, RHSA-2014:1692-01, RHSA-2014:1920-01, RHSA-2014:1948-01, RHSA-2015:0010-01, RHSA-2015:0011-01, RHSA-2015:0012-01, RHSA-2015:1545-01, RHSA-2015:1546-01, SA83, SB10090, SB10104, sk102989, SOL15702, SP-CAAANKE, SP-CAAANST, SPL-91947, SPL-91948, SSA:2014-288-01, SSA-396873, SSA-472334, SSRT101767, STORM-2014-02-FR, SUSE-SU-2014:1357-1, SUSE-SU-2014:1361-1, SUSE-SU-2014:1386-1, SUSE-SU-2014:1387-1, SUSE-SU-2014:1387-2, SUSE-SU-2014:1409-1, SUSE-SU-2015:0010-1, SUSE-SU-2016:1457-1, SUSE-SU-2016:1459-1, T1021439, TSB16540, USN-2839-1, VIGILANCE-VUL-15485, VMSA-2015-0001, VMSA-2015-0001.1, VMSA-2015-0001.2, VN-2014-003, VU#577193.

Description of the vulnerability

An SSL/TLS session can be established using several protocols:
 - SSL 2.0 (obsolete)
 - SSL 3.0
 - TLS 1.0
 - TLS 1.1
 - TLS 1.2

An attacker can downgrade the version to SSLv3. However, with SSL 3.0, an attacker can change the padding position with a CBC encryption, in order to progressively guess clear text fragments.

This vulnerability is named POODLE (Padding Oracle On Downgraded Legacy Encryption).

An attacker, located as a Man-in-the-Middle, can therefore decrypt a SSL 3.0 session, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-3537

CUPS: privilege escalation via RSS

Synthesis of the vulnerability

An attacker, member of the lp group, can create a symbolic link, and then read the RSS feed of CUPS, in order to escalate his privileges.
Impacted products: CUPS, Debian, Fedora, RHEL, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, data reading.
Provenance: user shell.
Creation date: 21/07/2014.
Identifiers: 4450, CVE-2014-3537, DSA-2990-1, FEDORA-2014-8351, FEDORA-2014-9703, MDVSA-2014:151, MDVSA-2015:108, RHSA-2014:1388-02, USN-2293-1, VIGILANCE-VUL-15074.

Description of the vulnerability

The CUPS product offers a web service, with a RSS information feed.

RSS information originate from the /var/cache/cups/rss/ directory. However, an attacker member of the lp group can create a symbolic link in this directory pointing to an external file. This file is then read with root privileges, and displayed in the RSS feed.

By linking /var/run/cups/certs/0, an attacker can also gain privileges of the CUPS @SYSTEM group.

An attacker, member of the lp group, can therefore create a symbolic link, and then read the RSS feed of CUPS, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2014-2856

CUPS: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of CUPS, in order to execute JavaScript code in the context of the web site.
Impacted products: CUPS, Fedora, Solaris, RHEL, Ubuntu.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 14/04/2014.
Identifiers: CVE-2014-2856, FEDORA-2014-4384, FEDORA-2014-5079, MDVSA-2014:091, MDVSA-2014:092, MDVSA-2015:108, RHSA-2014:1388-02, USN-2172-1, VIGILANCE-VUL-14587.

Description of the vulnerability

The CUPS product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of CUPS, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2012-5519

CUPS: file access via PageLog

Synthesis of the vulnerability

A local attacker, who is member of the lpadmin group, can change the CUPS log filename, in order to read or write in a file, with privileges of the daemon.
Impacted products: CUPS, Debian, Fedora, Mandriva Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: data reading, data creation/edition.
Provenance: user shell.
Creation date: 12/11/2012.
Identifiers: 692791, BID-56494, CVE-2012-5519, DSA-2600-1, FEDORA-2012-19606, MDVSA-2012:179, openSUSE-SU-2015:1056-1, RHSA-2013:0580-01, SUSE-SU-2015:1041-1, SUSE-SU-2015:1044-1, SUSE-SU-2015:1044-2, VIGILANCE-VUL-12126.

Description of the vulnerability

The CUPS print service uses the /etc/cups/cupsd.conf configuration file.

Members of the lpadmin group can authenticate on the CUPS web administration interface, in order to modify this configuration file. They can thus change the PageLog configuration directive, which indicates the log file name, in order to point for example to /etc/shadow.

However, the CUPS daemon runs with elevated privileges (root on some systems such as Debian). An attacker can thus use the log display web interface, in order to read the content of the log file, with root privileges. Moreover, if the attacker prints a document, log data are appended to this file, with elevated privileges.

A local attacker, who is member of the lpadmin group, can therefore change the CUPS log filename, in order to read or write in a file, with privileges of the daemon.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about CUPS: