Bug 490597 - (CVE-2009-0164) CVE-2009-0164 cups: insufficient checking of the HTTP Host: header
CVE-2009-0164 cups: insufficient checking of the HTTP Host: header
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20090416,reported=2...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-17 04:15 EDT by Jan Lieskovsky
Modified: 2011-11-10 11:25 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-11-10 11:25:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Upstream Host: header checking patch (13.35 KB, patch)
2009-03-17 04:20 EDT, Jan Lieskovsky
no flags Details | Diff
Upstream documentation patch describing adding of new ServerAlias configuration directive (757 bytes, patch)
2009-04-01 05:58 EDT, Jan Lieskovsky
no flags Details | Diff
The ServerAlias docs patch ported to RHEL-3 (1.1.17) cups -- similar change will be needed yet for doc/sam.shtml file yet (1.48 KB, patch)
2009-04-01 06:01 EDT, Jan Lieskovsky
no flags Details | Diff
Updated upstream patch (16.47 KB, patch)
2009-04-02 03:54 EDT, Tomas Hoger
no flags Details | Diff
cups-CVE-2009-0164.patch (18.70 KB, patch)
2011-11-08 13:04 EST, Tim Waugh
no flags Details | Diff
cups.spec.patch (2.81 KB, patch)
2011-11-09 10:17 EST, Tim Waugh
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
CUPS Bugs and Features 3118 None None None Never
CUPS Bugs and Features 3164 None None None Never
CUPS Bugs and Features 3167 None None None Never

  None (edit)
Description Jan Lieskovsky 2009-03-17 04:15:09 EDT
Aaron Sigel of Apple Product Security reported that CUPS did not check Host: HTTP header in the connections to the daemon.  This insufficient checking may be of an advantage as part of some other attack, e.g. DNS rebinding attack (however, for such attack, user's web browser or browser plugin must be prone to the DNS rebinding attack).

Upstream patch adds check for the Host: header used in clients' requests.  It also introduced ServerAlias configuration directive, that must be used to allow clients to use additional valid host names besides those set has hostname or hostname's aliases.
Comment 1 Jan Lieskovsky 2009-03-17 04:20:28 EDT
Created attachment 335489 [details]
Upstream Host: header checking patch
Comment 6 Jan Lieskovsky 2009-04-01 05:58:07 EDT
Created attachment 337477 [details]
Upstream documentation patch describing adding of new ServerAlias configuration directive
Comment 7 Jan Lieskovsky 2009-04-01 06:01:07 EDT
Created attachment 337478 [details]
The ServerAlias docs patch ported to RHEL-3 (1.1.17) cups -- similar change will be needed yet for doc/sam.shtml file yet
Comment 8 Tomas Hoger 2009-04-01 11:34:05 EDT
The Red Hat Security Response Team has rated this issue as having low security
impact, a future update may address this flaw.

The check introduced by this patch may break existing installations, where CUPS printing server is accessed by clients using DNS CNAME, that is not configured as a hostname or hostname alias on the server.  After applying this patch, CUPS server would refuse any connection attempts from such clients.
Comment 9 Tomas Hoger 2009-04-02 03:54:25 EDT
Created attachment 337735 [details]
Updated upstream patch

This patch adds support for localhost.localdomain as alternate localhost name.  It also adds support for '*' wildcard for use with ServerAlias directive.  This can be used to allow any name to be used in Host: header for non-localhost connections (localhost connections are treated separately, not influenced by ServerAlias settings) to emulate the behavior of older CUPS versions.
Comment 12 Tomas Hoger 2009-04-17 06:01:58 EDT
Fixed upstream in 1.3.10, lifting embargo:
  http://www.cups.org/articles.php?L582
Comment 14 Fedora Update System 2009-04-21 11:16:51 EDT
cups-1.3.10-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/cups-1.3.10-1.fc9
Comment 15 Fedora Update System 2009-04-21 11:19:43 EDT
cups-1.3.10-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/cups-1.3.10-1.fc10
Comment 16 Fedora Update System 2009-04-21 20:47:06 EDT
cups-1.3.10-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2009-04-21 20:49:59 EDT
cups-1.3.10-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Tomas Hoger 2009-04-27 02:50:16 EDT
CVE-2009-0164:
The web interface for CUPS before 1.3.10 does not validate the HTTP
Host header in a client request, which makes it easier for remote
attackers to conduct DNS rebinding attacks.
Comment 21 Tim Waugh 2009-04-27 13:18:50 EDT
Adding pointer to upstream STR #3164, "httpSetField needs to bracket IPv6 addresses for HTTP_FIELD_HOST".  This fix is required otherwise local connections may be denied.
Comment 22 Tim Waugh 2009-04-27 13:20:09 EDT
Adding pointer to upstream STR #3167, "ServerName not treated as allowed Host: value".  This fix is required otherwise connections made using the ServerName hostname will be denied unless there is also a ServerAlias for that name.
Comment 25 Tim Waugh 2009-05-01 11:56:10 EDT
I have seen some odd behaviour on Fedora 10 but have not been able to reproduce it, and it may be related to this change which is included in 1.3.10.

The problem seemed to be that cupsd was taking a very long time to look up the hostname associated with each network interface (some of which have no associated hostname), and doing this each time it sent browse information.  While it was doing this it could not process any IPP requests.
Comment 26 Josh Bressers 2011-07-26 14:06:47 EDT
Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. The risks associated with fixing this bug are greater than the security risk. We therefore have no plans to fix this flaw in Red Hat Enterprise Linux 4 and 5.
Comment 27 Tim Waugh 2011-11-08 13:04:25 EST
Created attachment 532352 [details]
cups-CVE-2009-0164.patch

Here's a patch that bundles all the fixes together.

The two extra spec file changes required are:

%install
...
# Disable Host: checking by default for compatibility.  The
# ServerAlias directive was added in 1.3.10.
for suffix in conf conf.default; do
  cat <<"EOF" >> $RPM_BUILD_ROOT%{_sysconfdir}/cups/cupsd."$suffix"

# You should list each hostname alias used for this server so that it
# can verify the correct name is used for it.  Using "ServerAlias *"
# disables checking.
ServerAlias *
EOF
done

...

%triggerpostun -- %{name} < 1:1.3.7-30
if [ "$1" -gt 0 ]; then
    CONF=%{_sysconfdir}/cups/cupsd.conf
    if ! grep -qiw ServerAlias "$CONF"; then
        cp -a "$CONF" "$CONF".rpmorig
        cat <<"EOF" >> "$CONF"

# You should list each hostname alias used for this server so that it
# can verify the correct name is used for it.  Using "ServerAlias *"
# disables checking.
ServerAlias *
EOF
        /sbin/service cups condrestart > /dev/null 2>&1 || :
    fi
fi
Comment 28 Tim Waugh 2011-11-09 10:17:59 EST
Created attachment 532590 [details]
cups.spec.patch

Proposed spec changes.
Comment 29 Tomas Hoger 2011-11-10 11:25:43 EST
Given the risks of the fix, low impact of the issue, and the fact we'd need to effectively disable the fix by default, we're not planning to add this fix to Red Hat Enterprise Linux 4 and 5.  The fix is already available in Red Hat Enterprise Linux 6 since the initial release.

Note You need to log in before you can comment on or make changes to this bug.