Red Hat Bugzilla – Bug 875898
CVE-2012-5519 cups: privilege escalation for users of the CUPS SystemGroup group
Last modified: 2015-11-24 10:20:56 EST
A privilege escalation flaw was found in the way cups, a Common Unix Printing System, performed demarcation of privileges for the members of SystemGroup, different from the privileged-user account (root). A remote attacker, member of some of the CUPS SystemGroup groups, could use this flaw to read / write arbitrary system file with the privileges of the user running the CUPS daemon.
Upstream bug report:
 http://www.cups.org/str.php?L4223 (private for now)
This issue affects the versions of the cups package, as shipped with Red Hat Enterprise Linux 5 and 6.
This issue affects the versions of the cups package, as shipped with Fedora release of 16 and 17. Please schedule an update (once final upstream patch available).
The CVE identifier of CVE-2012-5519 has been assigned to this issue:
Created attachment 643673 [details]
Local copy of the reproducer from relevant Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791#10
Created cups tracking bugs for this issue
Affects: fedora-all [bug 875907]
*** Bug 875897 has been marked as a duplicate of this bug. ***
This flaw was addressed upstream by moving configuration directives for setting file, directory, user, and group parameters into a separate configuration file /etc/cups/cups-files.conf.
Only cupsd.conf configuration file could be modified remotely using CUPS web interface. Changes to the cups-files.conf file can only be done locally (i.e. they require root privileges).
The following directives have been moved to the new configuration file (cups-files.conf):
AccessLog, BrowseLDAPCACertFile, CacheDir, ConfigFilePerm, DataDir, DocumentRoot, ErrorLog, FatalErrors, FileDevice, FontPath, Group, LogFilePerm, LPDConfigFile, PageLog, Printcap, PrintcapFormat, PrintcapGUI, RemoteRoot, RequestRoot, ServerBin, ServerCertificate, ServerKey, ServerRoot, SMBConfigFile, StateDir, SystemGroup, SystemGroupAuthKey, TempDir, User
There are two factors which are needed for successful exploitation of this flaw.
1. This flaw can only be exploit by a local user that is member of one of the groups specified in cupsd.conf using SystemGroup configuration directive. For Red Hat Enterprise Linux 5 and 6, default groups in the SystemGroup are 'sys' and 'root'.
2. SELinux mitigates impact of the attack, limiting which read or written by the attacker.
This issue affects the version of cups as shipped with Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw.
cups-1.5.4-20.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
The fix for this issue added to Red Hat Enterprise Linux 5 and 6 uses different approach to the one used by upstream and described in comment 17. It introduces a new configuration directive called "ConfigurationChangeRestriction" in the cupsd.conf configuration file. This directive tells cuspd whether it should allow changing certain other configuration directives via its web interface. Restricted configuration directives are the same that were moved to cups-file.conf configuration file upstream (see comment 17 for the list).
ConfigurationChangeRestriction directive takes the following values:
1. "all" : This is the default value. This option prevents all the users (both root user and members of one of the SystemGroup groups) from making any changes to the protected directives remotely via the cups web interface. root user can still make changes locally by editing cupsd.conf configuration file directly.
2. "root-only" : Only root is allowed to make changes to the protected directives. SystemGroup groups members are not allowed to change them.
3. "none" : Users in the SystemGroup groups and root can make changes to the above keywords remotely using the cups web interface.
Note that Red Hat Enterprise Linux 6 includes cups-pk-helper package, which may allow non-root user to change cups configuration, if system administrator grants them such privilege via PolicyKit (via the org.opensuse.cupspkhelper.mechanism.server-settings polkit action). cups-pk-helper performs configuration changes as root user, therefore the ConfigurationChangeRestriction configuration must be set to "all" to prevent such users from changing protected directives.
cups-1.5.4-18.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2013:0580 https://rhn.redhat.com/errata/RHSA-2013-0580.html