Bug 2084321 (CVE-2022-26691)

Summary: CVE-2022-26691 cups: authorization bypass when using "local" authorization
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: askrabec, jorton, michal.skrivanek, mkaplan, mperina, rtillery, saroy, sbonazzo, security-response-team, thoger, trathi, twaugh, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An authorization vulnerability was found in the CUPS printing system. This security vulnerability occurs when local authorization happens. This flaw allows an attacker to authenticate to CUPS as root/admin without the 32-byte secret key and perform arbitrary code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-16 01:55:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2084402, 2084403, 2084404, 2084405, 2084406, 2084407, 2084408, 2090715, 2090716    
Bug Blocks: 2084328    

Description Anten Skrabec 2022-05-11 21:01:31 UTC 
CUPS requires users to demonstrate root/admin level access to perform various printer management related functions. Authentication to CUPS is completed by a web interface or over a dedicated file socket. Traditionally, users authenticate via traditional HTTP “Basic” web authorization. However, CUPS also allows authentication via a 32 byte randomly generated hex string. This method of authorization, called “Local” authorization by CUPS, has a bug that allows an attacker to authenticate to CUPS as root/admin without the 32-byte secret key. Root/admin access to CUPS yields arbitrary code execution as root with further effort. This affects CUPS 2.x
Comment 17 Avinash Hanwate 2022-05-26 12:23:58 UTC 
Lifting embargo.
Comment 18 Avinash Hanwate 2022-05-26 12:24:32 UTC 
Created cups tracking bugs for this issue:

Affects: fedora-34 [bug 2090715]
Affects: fedora-35 [bug 2090716]
Comment 21 errata-xmlrpc 2022-06-15 12:50:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:5054 https://access.redhat.com/errata/RHSA-2022:5054
Comment 22 errata-xmlrpc 2022-06-15 13:33:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:5055 https://access.redhat.com/errata/RHSA-2022:5055
Comment 23 errata-xmlrpc 2022-06-15 14:12:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5057 https://access.redhat.com/errata/RHSA-2022:5057
Comment 24 errata-xmlrpc 2022-06-15 15:05:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5056 https://access.redhat.com/errata/RHSA-2022:5056
Comment 25 errata-xmlrpc 2022-06-15 22:12:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:4990 https://access.redhat.com/errata/RHSA-2022:4990
Comment 26 Product Security DevOps Team 2022-06-16 01:55:03 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-26691