Bug 490597 (CVE-2009-0164) - CVE-2009-0164 cups: insufficient checking of the HTTP Host: header
Summary: CVE-2009-0164 cups: insufficient checking of the HTTP Host: header
Status: CLOSED WONTFIX
Alias: CVE-2009-0164
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20090416,reported=2...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-17 08:15 UTC by Jan Lieskovsky
Modified: 2019-06-08 12:43 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2011-11-10 16:25:43 UTC


Attachments (Terms of Use)
Upstream Host: header checking patch (13.35 KB, patch)
2009-03-17 08:20 UTC, Jan Lieskovsky
no flags Details | Diff
Upstream documentation patch describing adding of new ServerAlias configuration directive (757 bytes, patch)
2009-04-01 09:58 UTC, Jan Lieskovsky
no flags Details | Diff
The ServerAlias docs patch ported to RHEL-3 (1.1.17) cups -- similar change will be needed yet for doc/sam.shtml file yet (1.48 KB, patch)
2009-04-01 10:01 UTC, Jan Lieskovsky
no flags Details | Diff
Updated upstream patch (16.47 KB, patch)
2009-04-02 07:54 UTC, Tomas Hoger
no flags Details | Diff
cups-CVE-2009-0164.patch (18.70 KB, patch)
2011-11-08 18:04 UTC, Tim Waugh
no flags Details | Diff
cups.spec.patch (2.81 KB, patch)
2011-11-09 15:17 UTC, Tim Waugh
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
CUPS Bugs and Features 3118 None None None Never
CUPS Bugs and Features 3164 None None None Never
CUPS Bugs and Features 3167 None None None Never

Description Jan Lieskovsky 2009-03-17 08:15:09 UTC
Aaron Sigel of Apple Product Security reported that CUPS did not check Host: HTTP header in the connections to the daemon.  This insufficient checking may be of an advantage as part of some other attack, e.g. DNS rebinding attack (however, for such attack, user's web browser or browser plugin must be prone to the DNS rebinding attack).

Upstream patch adds check for the Host: header used in clients' requests.  It also introduced ServerAlias configuration directive, that must be used to allow clients to use additional valid host names besides those set has hostname or hostname's aliases.

Comment 1 Jan Lieskovsky 2009-03-17 08:20:28 UTC
Created attachment 335489 [details]
Upstream Host: header checking patch

Comment 6 Jan Lieskovsky 2009-04-01 09:58:07 UTC
Created attachment 337477 [details]
Upstream documentation patch describing adding of new ServerAlias configuration directive

Comment 7 Jan Lieskovsky 2009-04-01 10:01:07 UTC
Created attachment 337478 [details]
The ServerAlias docs patch ported to RHEL-3 (1.1.17) cups -- similar change will be needed yet for doc/sam.shtml file yet

Comment 8 Tomas Hoger 2009-04-01 15:34:05 UTC
The Red Hat Security Response Team has rated this issue as having low security
impact, a future update may address this flaw.

The check introduced by this patch may break existing installations, where CUPS printing server is accessed by clients using DNS CNAME, that is not configured as a hostname or hostname alias on the server.  After applying this patch, CUPS server would refuse any connection attempts from such clients.

Comment 9 Tomas Hoger 2009-04-02 07:54:25 UTC
Created attachment 337735 [details]
Updated upstream patch

This patch adds support for localhost.localdomain as alternate localhost name.  It also adds support for '*' wildcard for use with ServerAlias directive.  This can be used to allow any name to be used in Host: header for non-localhost connections (localhost connections are treated separately, not influenced by ServerAlias settings) to emulate the behavior of older CUPS versions.

Comment 12 Tomas Hoger 2009-04-17 10:01:58 UTC
Fixed upstream in 1.3.10, lifting embargo:
  http://www.cups.org/articles.php?L582

Comment 14 Fedora Update System 2009-04-21 15:16:51 UTC
cups-1.3.10-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/cups-1.3.10-1.fc9

Comment 15 Fedora Update System 2009-04-21 15:19:43 UTC
cups-1.3.10-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/cups-1.3.10-1.fc10

Comment 16 Fedora Update System 2009-04-22 00:47:06 UTC
cups-1.3.10-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2009-04-22 00:49:59 UTC
cups-1.3.10-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Tomas Hoger 2009-04-27 06:50:16 UTC
CVE-2009-0164:
The web interface for CUPS before 1.3.10 does not validate the HTTP
Host header in a client request, which makes it easier for remote
attackers to conduct DNS rebinding attacks.

Comment 21 Tim Waugh 2009-04-27 17:18:50 UTC
Adding pointer to upstream STR #3164, "httpSetField needs to bracket IPv6 addresses for HTTP_FIELD_HOST".  This fix is required otherwise local connections may be denied.

Comment 22 Tim Waugh 2009-04-27 17:20:09 UTC
Adding pointer to upstream STR #3167, "ServerName not treated as allowed Host: value".  This fix is required otherwise connections made using the ServerName hostname will be denied unless there is also a ServerAlias for that name.

Comment 25 Tim Waugh 2009-05-01 15:56:10 UTC
I have seen some odd behaviour on Fedora 10 but have not been able to reproduce it, and it may be related to this change which is included in 1.3.10.

The problem seemed to be that cupsd was taking a very long time to look up the hostname associated with each network interface (some of which have no associated hostname), and doing this each time it sent browse information.  While it was doing this it could not process any IPP requests.

Comment 26 Josh Bressers 2011-07-26 18:06:47 UTC
Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. The risks associated with fixing this bug are greater than the security risk. We therefore have no plans to fix this flaw in Red Hat Enterprise Linux 4 and 5.

Comment 27 Tim Waugh 2011-11-08 18:04:25 UTC
Created attachment 532352 [details]
cups-CVE-2009-0164.patch

Here's a patch that bundles all the fixes together.

The two extra spec file changes required are:

%install
...
# Disable Host: checking by default for compatibility.  The
# ServerAlias directive was added in 1.3.10.
for suffix in conf conf.default; do
  cat <<"EOF" >> $RPM_BUILD_ROOT%{_sysconfdir}/cups/cupsd."$suffix"

# You should list each hostname alias used for this server so that it
# can verify the correct name is used for it.  Using "ServerAlias *"
# disables checking.
ServerAlias *
EOF
done

...

%triggerpostun -- %{name} < 1:1.3.7-30
if [ "$1" -gt 0 ]; then
    CONF=%{_sysconfdir}/cups/cupsd.conf
    if ! grep -qiw ServerAlias "$CONF"; then
        cp -a "$CONF" "$CONF".rpmorig
        cat <<"EOF" >> "$CONF"

# You should list each hostname alias used for this server so that it
# can verify the correct name is used for it.  Using "ServerAlias *"
# disables checking.
ServerAlias *
EOF
        /sbin/service cups condrestart > /dev/null 2>&1 || :
    fi
fi

Comment 28 Tim Waugh 2011-11-09 15:17:59 UTC
Created attachment 532590 [details]
cups.spec.patch

Proposed spec changes.

Comment 29 Tomas Hoger 2011-11-10 16:25:43 UTC
Given the risks of the fix, low impact of the issue, and the fact we'd need to effectively disable the fix by default, we're not planning to add this fix to Red Hat Enterprise Linux 4 and 5.  The fix is already available in Red Hat Enterprise Linux 6 since the initial release.


Note You need to log in before you can comment on or make changes to this bug.