CUPS requires users to demonstrate root/admin level access to perform various printer management related functions. Authentication to CUPS is completed by a web interface or over a dedicated file socket. Traditionally, users authenticate via traditional HTTP “Basic” web authorization. However, CUPS also allows authentication via a 32 byte randomly generated hex string. This method of authorization, called “Local” authorization by CUPS, has a bug that allows an attacker to authenticate to CUPS as root/admin without the 32-byte secret key. Root/admin access to CUPS yields arbitrary code execution as root with further effort. This affects CUPS 2.x
Lifting embargo.
Created cups tracking bugs for this issue: Affects: fedora-34 [bug 2090715] Affects: fedora-35 [bug 2090716]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:5054 https://access.redhat.com/errata/RHSA-2022:5054
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:5055 https://access.redhat.com/errata/RHSA-2022:5055
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:5057 https://access.redhat.com/errata/RHSA-2022:5057
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5056 https://access.redhat.com/errata/RHSA-2022:5056
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:4990 https://access.redhat.com/errata/RHSA-2022:4990
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-26691