Bug 1607282 – CVE-2018-4180 cups: Local privilege escalation to root due to insecure environment variable handling

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1607282 - (CVE-2018-4180) CVE-2018-4180 cups: Local privilege escalation to root due to insecure environment variable handling

Summary:	CVE-2018-4180 cups: Local privilege escalation to root due to insecure enviro...

Status:	NEW

Aliases:	CVE-2018-4180

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180509,repor...
Keywords:	Security

Depends On:	1607295 1608764 1607293 1608720 1608721 1608722
Blocks:	1607292
	Show dependency tree / graph

Reported:	2018-07-23 04:05 EDT by Andrej Nemec
Modified:	2018-07-30 13:24 EDT (History)
CC List:	13 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	It was discovered that CUPS allows non-root users to pass environment variables to CUPS backends. Affected backends use attacker-controlled environment variables without proper sanitization. A local attacker, who is part of one of the groups specified in the SystemGroups directive, could use the cupsctl binary to set SetEnv and PassEnv directives and potentially controls the flow of the affected backend, resulting in some cases in arbitrary code execution with root privileges.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Andrej Nemec 2018-07-23 04:05:15 EDT

Affected versions of CUPS allow for the SetEnv and PassEnv directives to be specified in the cupsd.conf file, which is editable by non-root users using the cupsctl binary.  This allows attacker-controlled environment variables to be passed to CUPS backends, some of which are run as root.  By passing malicious values in environment variables to affected backends, it is possible to execute an attacker-supplied binary as root, subject to sandbox restrictions.

References:

https://blog.gdssecurity.com/labs/2018/7/11/cups-local-privilege-escalation-and-sandbox-escapes.html

Upstream patch:

https://github.com/apple/cups/commit/d47f6aec436e0e9df6554436e391471097686ecc

Comment 1 Andrej Nemec 2018-07-23 04:30:39 EDT

Created cups tracking bugs for this issue:

Affects: fedora-all [bug 1607293]

Comment 6 Riccardo Schirone 2018-07-26 04:20:25 EDT

On Linux the sandbox feature is not enabled, however SELinux may restricts the allowed actions an attacker can accomplish. Moreover, on RHEL the SystemGroup defined in /etc/cups/cups-files.conf (or in /etc/cups/cupsd.conf in RHEL 5 and 6) only includes groups `sys` and `root`, thus reducing considerably the set of users who can run cupsctl and perform the attack.

Comment 7 Riccardo Schirone 2018-07-26 04:55:20 EDT

Decreasing the Impact of the flaw to Moderate, because of the high privileges required to exploit it.

Comment 8 Riccardo Schirone 2018-07-26 05:12:24 EDT

Mitigation:

Do not add untrusted users to sys and root groups.

Comment 10 Riccardo Schirone 2018-07-27 05:31:24 EDT

Though RHEL 5 still allows to set PassEnv and SetEnv through cupsctl even by non-root users, it does not have the dnssd backend which allows an attacker to supply a binary which is executed with root permissions. For this reason the impact on RHEL 5 is Low.

Note You need to log in before you can comment on or make changes to this bug.