Affected versions of CUPS allow for the SetEnv and PassEnv directives to be specified in the cupsd.conf file, which is editable by non-root users using the cupsctl binary. This allows attacker-controlled environment variables to be passed to CUPS backends, some of which are run as root. By passing malicious values in environment variables to affected backends, it is possible to execute an attacker-supplied binary as root, subject to sandbox restrictions. References: https://blog.gdssecurity.com/labs/2018/7/11/cups-local-privilege-escalation-and-sandbox-escapes.html Upstream patch: https://github.com/apple/cups/commit/d47f6aec436e0e9df6554436e391471097686ecc
Created cups tracking bugs for this issue: Affects: fedora-all [bug 1607293]
On Linux the sandbox feature is not enabled, however SELinux may restricts the allowed actions an attacker can accomplish. Moreover, on RHEL the SystemGroup defined in /etc/cups/cups-files.conf (or in /etc/cups/cupsd.conf in RHEL 5 and 6) only includes groups `sys` and `root`, thus reducing considerably the set of users who can run cupsctl and perform the attack.
Decreasing the Impact of the flaw to Moderate, because of the high privileges required to exploit it.
Mitigation: Do not add untrusted users to sys and root groups.
Though RHEL 5 still allows to set PassEnv and SetEnv through cupsctl even by non-root users, it does not have the dnssd backend which allows an attacker to supply a binary which is executed with root permissions. For this reason the impact on RHEL 5 is Low.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1050 https://access.redhat.com/errata/RHSA-2020:1050
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-4180