The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of CUPS: file access via PageLog

Synthesis of the vulnerability 

A local attacker, who is member of the lpadmin group, can change the CUPS log filename, in order to read or write in a file, with privileges of the daemon.
Vulnerable products: CUPS, Debian, Fedora, Mandriva Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity of this weakness: 1/4.
Creation date: 12/11/2012.
Références of this bulletin: 692791, BID-56494, CVE-2012-5519, DSA-2600-1, FEDORA-2012-19606, MDVSA-2012:179, openSUSE-SU-2015:1056-1, RHSA-2013:0580-01, SUSE-SU-2015:1041-1, SUSE-SU-2015:1044-1, SUSE-SU-2015:1044-2, VIGILANCE-VUL-12126.

Description of the vulnerability 

The CUPS print service uses the /etc/cups/cupsd.conf configuration file.

Members of the lpadmin group can authenticate on the CUPS web administration interface, in order to modify this configuration file. They can thus change the PageLog configuration directive, which indicates the log file name, in order to point for example to /etc/shadow.

However, the CUPS daemon runs with elevated privileges (root on some systems such as Debian). An attacker can thus use the log display web interface, in order to read the content of the log file, with root privileges. Moreover, if the attacker prints a document, log data are appended to this file, with elevated privileges.

A local attacker, who is member of the lpadmin group, can therefore change the CUPS log filename, in order to read or write in a file, with privileges of the daemon.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security announce impacts software or systems such as CUPS, Debian, Fedora, Mandriva Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.

Our Vigil@nce team determined that the severity of this threat is low.

The trust level is of type confirmed by the editor, with an origin of user shell.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer vulnerability announce.

Solutions for this threat 

CUPS: workaround for PageLog.
A workaround is to ensure that the following groups only contain legitimate users:
  lpadmin (Debian)
  bin (Red Hat, Fedora)
  adm (Red Hat, Fedora)

Debian: new cups packages.
New packages are available:
  cups 1.4.4-7+squeeze2

Fedora 17: new cups packages.
New packages are available:
  cups-1.5.4-18.fc17

Mandriva: new cups packages.
New packages are available:
  cups-1.4.8-2.2

openSUSE: new cups packages.
New packages are available:
  openSUSE 13.2: cups 1.5.4-21.9.1
  openSUSE 13.1: cups 1.5.4-12.20.1

RHEL: new cups packages.
New packages are available:
  RHEL 5: cups 1.3.7-30.el5_9.3
  RHEL 6: cups 1.4.2-50.el6_4.4

SUSE LE Module for Legacy Software 12: new cups154 packages.
New packages are available:
  SUSE LE 12: cups154 1.5.4-9.1

SUSE LE: new cups packages.
New packages are available:
  SUSE LE 12: cups 1.7.5-9.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a network vulnerability workaround. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.