Bug 1221641 - (CVE-2015-1158) CVE-2015-1158 cups: incorrect string reference counting (VU#810572)
CVE-2015-1158 cups: incorrect string reference counting (VU#810572)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20150610,repo...
: Reopened, Security
Depends On: 1229979 1229982 1229983 1229984 1229985
Blocks: 1221644
  Show dependency treegraph
 
Reported: 2015-05-14 09:20 EDT by Martin Prpic
Modified: 2015-07-03 08:50 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker could submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded, which in turn allowed the attacker to run arbitrary code on the CUPS server.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-02 05:49:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Prpic 2015-05-14 09:20:45 EDT
The following flaw was found in CUPS:

Cupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd over-decrements the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. They can use this to dismantle ACLs protecting privileged operations, and upload a replacement configuration file, and subsequently run arbitrary code on a target machine.

This bug is exploitable in default configurations, and does not require any special permissions other than the basic ability to print.

Acknowledgements:

Red Hat would like to thank the CERT/CC for reporting this issue.
Comment 2 Huzaifa S. Sidhpurwala 2015-06-10 00:58:30 EDT
Public via:

https://www.cups.org/str.php?L4609
Comment 3 Huzaifa S. Sidhpurwala 2015-06-10 01:21:44 EDT
Created cups tracking bugs for this issue:

Affects: fedora-all [bug 1229979]
Comment 5 errata-xmlrpc 2015-06-17 17:06:36 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2015:1123 https://rhn.redhat.com/errata/RHSA-2015-1123.html
Comment 8 Fedora Update System 2015-06-20 20:20:53 EDT
cups-2.0.3-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2015-06-20 20:35:52 EDT
cups-1.7.5-17.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Huzaifa S. Sidhpurwala 2015-06-22 03:24:28 EDT
Mitigation:

Disabling the cups web interface significantly reduces the impact of this security flaw.
Comment 12 Frank Hirtz 2015-06-25 15:17:39 EDT
Hi Huzaifa,

With your update (thank you), we have a new score of 7.6:

<snip>
https://access.redhat.com/security/cve/CVE-2015-1158
Base Score:	7.6
Base Metrics:	AV:N/AC:H/Au:N/C:C/I:C/A:C
</snip>

Elsewhere, I see this noted as 9.3 as they're assessing the complexity of the exploit as being somewhat lower than we do:

https://www.kb.cert.org/vuls/id/810572 (CVE-2015-1158 && CVE-2015-1159):
<snip>
The CVSS score below is based on CVE-2015-1158.
<snip>
CVSS Metrics (Learn More)
Group	Score	Vector
Base	9.3	AV:N/AC:M/Au:N/C:C/I:C/A:C

The difference is that we have this classed as "High" complexity, and (at least some) others have this listed as "Medium" complexity, which would account for the scoring difference. Is there something specific to our setup which makes exploiting this more difficult/complex?

I can't seem to get NVD to actually load for the CVE, so I can't say what's there.
Comment 13 Vincent Danen 2015-06-25 19:30:16 EDT
Statement:

This issue affects the version of cups package as shipped with Red Hat Enterprise Linux 5.  Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 14 Vincent Danen 2015-06-25 19:33:18 EDT
(In reply to Frank Hirtz from comment #12)
> Hi Huzaifa,
> 
> With your update (thank you), we have a new score of 7.6:
> 
> <snip>
> https://access.redhat.com/security/cve/CVE-2015-1158
> Base Score:	7.6
> Base Metrics:	AV:N/AC:H/Au:N/C:C/I:C/A:C
> </snip>
> 
> Elsewhere, I see this noted as 9.3 as they're assessing the complexity of
> the exploit as being somewhat lower than we do:
> 
> https://www.kb.cert.org/vuls/id/810572 (CVE-2015-1158 && CVE-2015-1159):
> <snip>
> The CVSS score below is based on CVE-2015-1158.
> <snip>
> CVSS Metrics (Learn More)
> Group	Score	Vector
> Base	9.3	AV:N/AC:M/Au:N/C:C/I:C/A:C
> 
> The difference is that we have this classed as "High" complexity, and (at
> least some) others have this listed as "Medium" complexity, which would
> account for the scoring difference. Is there something specific to our setup
> which makes exploiting this more difficult/complex?
> 
> I can't seem to get NVD to actually load for the CVE, so I can't say what's
> there.

Hi, Frank.  There is indeed a difference between how NVD rates things and how we rate things.  This is described on the Security Blog here:

https://securityblog.redhat.com/2013/02/13/how-red-hat-uses-cvssv2-scoring-to-assist-in-rating-flaws/

That should clarify things for you.
Comment 15 Huzaifa S. Sidhpurwala 2015-06-30 00:23:09 EDT
Change of CVSV2 scores again:
============================
Note: After more evaluation of the issues, it seemed like 6.8/AV:A/AC:H/Au:N/C:C/I:C/A:C was a better scoring, the only change is AV:A. This is because cups servers are not commonly configured/available on the internet, therefore Availability = Adjacent Network (Intranet) seems to be more suitable in this case. Everything else remains the same.
Comment 18 Huzaifa S. Sidhpurwala 2015-07-03 00:36:36 EDT
In order to exploit this flaw you need:

1. Permissions to print on the cups-server. Cups server are usually internal to a network, so this is not something which is exploitable on the internet.

2. This flaw has to be combined with other flaw, CVE-2015-1159 in this case. We do not rate security flaws in combination of what damage can be done with other issues.

3. Lastly exploitation is difficult and it needs exact conditions to be matches several of them are detailed on the external reference linked on the bug, there are others as well.
Comment 19 Vincent Danen 2015-07-03 00:54:35 EDT
In addition to what Huzaifa noted above, this flaw requires that CUPS be listening to a network interface connected to the internet for it to be exploited by the general public.  Typically, most CUPS installs listen to the localhost only (so the machine CUPS is running on) which is the shipped default.  In cases of running a print server, this would listen on an ethernet interface but even then, unless there is a reason for having someone on the other side of the world print to your printer, there are firewalls in place to prevent unknown entities from performing an attack, which leaves only attackers on your local network.

In addition, this flaw requires that the CUPS web interface is also listening on a network-reachable port (again, by default, only the localhost).  Note that just because you have CUPS listening for print requests on the local network it does not automatically mean that the web UI is available (this can be locked down to the localhost while still allowing for network printing).

As a result, this can be very easily mitigated even if you are using non-default configuration changes (which can only be made by a user with root privileges).  If you need to permit web-based configuration via the UI, you can easily lock it down to a particular administrator IP (using either CUPS itself or iptables).  See http://cups.org/documentation.php/doc-1.3/policies.html for more details.

Note You need to log in before you can comment on or make changes to this bug.