2230495 – (CVE-2023-32360) CVE-2023-32360 cups: Information leak through Cups-Get-Document operation

Bug 2230495 (CVE-2023-32360) - CVE-2023-32360 cups: Information leak through Cups-Get-Document operation

Summary: CVE-2023-32360 cups: Information leak through Cups-Get-Document operation

Keywords:
Status:	NEW
Alias:	CVE-2023-32360
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2230499 2230500 2231884 2231885 2231886 2231887 2231888 2231889 2231890 2232145 2230497
Blocks:	2230498
TreeView+	depends on / blocked

Reported:	2023-08-09 15:05 UTC by Pedro Sampaio
Modified:	2023-08-17 00:13 UTC (History)
CC List:	15 users (show)
Fixed In Version:	cups 2.4.3
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in OpenPrinting CUPS. Unauthorized users are permitted to fetch documents over local or remote networks, leading to confidentiality breach.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2023-08-09 15:05:53 UTC

CUPS leaks print job documents to local and remote attackers. You need Linux with a printer setup and software that subscribes to printer events via IPP protocol and requests the job documents. The operation Cups-Get-Document is not protected as documented against unauthorized access. Unauthorized users are permitted to fetch documents.

Upstream fix:

https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913

Comment 1 Pedro Sampaio 2023-08-09 15:06:09 UTC

Created cups tracking bugs for this issue:

Affects: fedora-all [bug 2230497]

Comment 3 Zdenek Dohnal 2023-08-10 13:21:02 UTC

Hi,

I would like to fix this issue for the reasons mentioned in the email which I sent as notification to secalert:

- if attacker has access to cupsd (attacker got into the machine, or got into local network which subnets are configured to have access to the server, or cupsd is incorrectly configured to listen on public network and is not protected by firewall or any other means in cupsd.conf - 'Allow from' in <Limit>s and <Location>s) and finds out job id and username who printed the job, he can get the printed file in IPP response.

- victim can mitigate by setting 'PreserveJobFiles No' (removes job file after printing - the default is to remove the file after one day), changing default policy (to authenticated or kerberos) or limiting means how the attacker can find out about usernames and job ids (limiting access to specific <location>s in cupsd.conf)

Based on this, I'm not sure about severity of the vulnerability - I would like to know prodsec evaluation of it, so I can fix the issue accordingly.

I'm putting NEEDINFO to the reporter, please switch it to a person doing the Secondary assessment.

Thank you in advance!

Comment 5 Zdenek Dohnal 2023-08-14 06:23:45 UTC

FTR I've verified the file content is sent in IPP response with affected CUPS versions.

Comment 6 msiddiqu 2023-08-14 13:40:13 UTC

In reply to comment #3:
 
> Based on this, I'm not sure about severity of the vulnerability - I would
> like to know prodsec evaluation of it, so I can fix the issue accordingly.

I've added a statement for change in severity from Moderate to Important for the CVE page as follows:

This vulnerability is classified as important according to Red Hat's Severity Rating Classification as unauthorised users are permitted to fetch documents over local or remote network leading to confidentiality breach.

https://access.redhat.com/security/updates/classification

Please consider this a 'high' level in bugzilla.

Note You need to log in before you can comment on or make changes to this bug.