Bug 875898 - (CVE-2012-5519) CVE-2012-5519 cups: privilege escalation for users of the CUPS SystemGroup group
CVE-2012-5519 cups: privilege escalation for users of the CUPS SystemGroup group
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20121108,repor...
: Security
: 875897 (view as bug list)
Depends On: 875907 876224 876225 876226 876228 885625
Blocks: 875906
  Show dependency treegraph
 
Reported: 2012-11-12 14:25 EST by Jan Lieskovsky
Modified: 2015-11-24 10:20 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-28 14:21:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Local copy of the reproducer from relevant Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791#10 (353 bytes, text/plain)
2012-11-12 14:32 EST, Jan Lieskovsky
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
CUPS Bugs and Features 4223 None None None 2012-11-13 06:03:59 EST

  None (edit)
Description Jan Lieskovsky 2012-11-12 14:25:21 EST
A privilege escalation flaw was found in the way cups, a Common Unix Printing System, performed demarcation of privileges for the members of SystemGroup, different from the privileged-user account (root). A remote attacker, member of some of the CUPS SystemGroup groups, could use this flaw to read / write arbitrary system file with the privileges of the user running the CUPS daemon.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791
[2] http://www.openwall.com/lists/oss-security/2012/11/10/5

Upstream bug report:
[3] http://www.cups.org/str.php?L4223 (private for now)
Comment 1 Jan Lieskovsky 2012-11-12 14:27:04 EST
This issue affects the versions of the cups package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the cups package, as shipped with Fedora release of 16 and 17. Please schedule an update (once final upstream patch available).
Comment 2 Jan Lieskovsky 2012-11-12 14:29:01 EST
The CVE identifier of CVE-2012-5519 has been assigned to this issue:
[4] http://www.openwall.com/lists/oss-security/2012/11/11/2
Comment 3 Jan Lieskovsky 2012-11-12 14:32:13 EST
Created attachment 643673 [details]
Local copy of the reproducer from relevant Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791#10
Comment 4 Jan Lieskovsky 2012-11-12 14:37:25 EST
Created cups tracking bugs for this issue

Affects: fedora-all [bug 875907]
Comment 6 Tomas Hoger 2012-11-13 01:39:18 EST
*** Bug 875897 has been marked as a duplicate of this bug. ***
Comment 17 Huzaifa S. Sidhpurwala 2012-12-05 09:40:39 EST
This flaw was addressed upstream by moving configuration directives for setting file, directory, user, and group parameters into a separate configuration file /etc/cups/cups-files.conf.

Only cupsd.conf configuration file could be modified remotely using CUPS web interface.  Changes to the cups-files.conf file can only be done locally (i.e. they require root privileges).

The following directives have been moved to the new configuration file (cups-files.conf):

AccessLog, BrowseLDAPCACertFile, CacheDir, ConfigFilePerm, DataDir, DocumentRoot, ErrorLog, FatalErrors, FileDevice, FontPath, Group, LogFilePerm, LPDConfigFile, PageLog, Printcap, PrintcapFormat, PrintcapGUI, RemoteRoot, RequestRoot, ServerBin, ServerCertificate, ServerKey, ServerRoot, SMBConfigFile, StateDir, SystemGroup, SystemGroupAuthKey, TempDir, User
Comment 19 Huzaifa S. Sidhpurwala 2012-12-10 22:55:07 EST
There are two factors which are needed for successful exploitation of this flaw.

1. This flaw can only be exploit by a local user that is member of one of the groups specified in cupsd.conf using SystemGroup configuration directive. For Red Hat Enterprise Linux 5 and 6, default groups in the SystemGroup are 'sys' and 'root'.

2. SELinux mitigates impact of the attack, limiting which read or written by the attacker.

Statement:

This issue affects the version of cups as shipped with Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw.
Comment 21 Fedora Update System 2013-01-11 20:01:19 EST
cups-1.5.4-20.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Huzaifa S. Sidhpurwala 2013-02-14 00:18:27 EST
The fix for this issue added to Red Hat Enterprise Linux 5 and 6 uses different approach to the one used by upstream and described in comment 17.  It introduces a new configuration directive called "ConfigurationChangeRestriction" in the cupsd.conf configuration file.  This directive tells cuspd whether it should allow changing certain other configuration directives via its web interface.  Restricted configuration directives are the same that were moved to cups-file.conf configuration file upstream (see comment 17 for the list).

ConfigurationChangeRestriction directive takes the following values:

1. "all" : This is the default value.  This option prevents all the users (both root user and members of one of the SystemGroup groups) from making any changes to the protected directives remotely via the cups web interface.  root user can still make changes locally by editing cupsd.conf configuration file directly.

2. "root-only" : Only root is allowed to make changes to the protected directives.  SystemGroup groups members are not allowed to change them.

3. "none" : Users in the SystemGroup groups and root can make changes to the above keywords remotely using the cups web interface.


Note that Red Hat Enterprise Linux 6 includes cups-pk-helper package, which may allow non-root user to change cups configuration, if system administrator grants them such privilege via PolicyKit (via the org.opensuse.cupspkhelper.mechanism.server-settings polkit action).  cups-pk-helper performs configuration changes as root user, therefore the ConfigurationChangeRestriction configuration must be set to "all" to prevent such users from changing protected directives.
Comment 24 Fedora Update System 2013-02-25 21:41:44 EST
cups-1.5.4-18.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 errata-xmlrpc 2013-02-28 13:56:59 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0580 https://rhn.redhat.com/errata/RHSA-2013-0580.html

Note You need to log in before you can comment on or make changes to this bug.