Bug 1949119 (CVE-2021-25317)

Summary: CVE-2021-25317 cups: insecure permissions of /var/log/cups allows for symlink attacks
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: mdogra, security-response-team, twaugh, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that some Linux vendors may assign the ownership of the /var/log/cups directory to the `lp` user. This could allow an attacker with such privileges to create empty files in arbitrary locations, or to force arbitrary files to be opened and closed, using a symlink attack. This has a low impact on the integrity of the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-15 13:09:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1950903, 1950124, 1950125, 1955090, 1955091    
Bug Blocks: 1947565    

Description Guilherme de Almeida Suckevicz 2021-04-13 13:18:12 UTC 
A flaw was found in the way some Linux Operating Systems install cups. 
If the default permissions of /var/log/cups allows the 'lp' user to write new files and that the cups daemon runs with root permissions, an attacker with access to the 'lp' user could use this flaw carry on a symlink attack.
However, because cupsd verifies wether the path is a symlink after opening it, the flaw can be used only to create empty files in arbitrary locations, or to force open()/close() system calls on arbitrary locations.

Because the code will correct the /var/log/cups permissions after the fail, the attacker can carry this attack only once.

# ps -FC cupsd                                                                                                                          
UID        PID  PPID  C    SZ   RSS PSR STIME TTY          TIME CMD                                                                                          
root     18686     1  0 86575  9900   0 07:55 ?        00:00:00 /usr/sbin/cupsd -l                                                                                                                                      

# ls -ld /var/log/cups/                                                                                                                 
drwxr-xr-x. 2 lp sys 68 Apr 14 07:39 /var/log/cups/
Comment 3 Cedric Buissart 2021-04-20 15:27:00 UTC 
Acknowledgments:

Name: Matthias Gerstner
Comment 4 Cedric Buissart 2021-04-27 06:36:53 UTC 
Statement:

This issue does not affect the upstream CUPS, only the CUPS versions as packaged by some OS vendors.
Comment 5 Cedric Buissart 2021-04-29 12:22:23 UTC 
Created cups tracking bugs for this issue:

Affects: fedora-all [bug 1955090]