Bug 875898 (CVE-2012-5519) - CVE-2012-5519 cups: privilege escalation for users of the CUPS SystemGroup group
Summary: CVE-2012-5519 cups: privilege escalation for users of the CUPS SystemGroup group
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-5519
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 875897 (view as bug list)
Depends On: 875907 876224 876225 876226 876228 885625
Blocks: 875906
TreeView+ depends on / blocked
 
Reported: 2012-11-12 19:25 UTC by Jan Lieskovsky
Modified: 2021-02-17 08:24 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-28 19:21:02 UTC


Attachments (Terms of Use)
Local copy of the reproducer from relevant Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791#10 (353 bytes, text/plain)
2012-11-12 19:32 UTC, Jan Lieskovsky
no flags Details


Links
System ID Private Priority Status Summary Last Updated
CUPS Bugs and Features 4223 0 None None None 2012-11-13 11:03:59 UTC
Red Hat Product Errata RHSA-2013:0580 0 normal SHIPPED_LIVE Moderate: cups security update 2013-02-28 23:52:21 UTC

Description Jan Lieskovsky 2012-11-12 19:25:21 UTC
A privilege escalation flaw was found in the way cups, a Common Unix Printing System, performed demarcation of privileges for the members of SystemGroup, different from the privileged-user account (root). A remote attacker, member of some of the CUPS SystemGroup groups, could use this flaw to read / write arbitrary system file with the privileges of the user running the CUPS daemon.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791
[2] http://www.openwall.com/lists/oss-security/2012/11/10/5

Upstream bug report:
[3] http://www.cups.org/str.php?L4223 (private for now)

Comment 1 Jan Lieskovsky 2012-11-12 19:27:04 UTC
This issue affects the versions of the cups package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the cups package, as shipped with Fedora release of 16 and 17. Please schedule an update (once final upstream patch available).

Comment 2 Jan Lieskovsky 2012-11-12 19:29:01 UTC
The CVE identifier of CVE-2012-5519 has been assigned to this issue:
[4] http://www.openwall.com/lists/oss-security/2012/11/11/2

Comment 3 Jan Lieskovsky 2012-11-12 19:32:13 UTC
Created attachment 643673 [details]
Local copy of the reproducer from relevant Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791#10

Comment 4 Jan Lieskovsky 2012-11-12 19:37:25 UTC
Created cups tracking bugs for this issue

Affects: fedora-all [bug 875907]

Comment 6 Tomas Hoger 2012-11-13 06:39:18 UTC
*** Bug 875897 has been marked as a duplicate of this bug. ***

Comment 17 Huzaifa S. Sidhpurwala 2012-12-05 14:40:39 UTC
This flaw was addressed upstream by moving configuration directives for setting file, directory, user, and group parameters into a separate configuration file /etc/cups/cups-files.conf.

Only cupsd.conf configuration file could be modified remotely using CUPS web interface.  Changes to the cups-files.conf file can only be done locally (i.e. they require root privileges).

The following directives have been moved to the new configuration file (cups-files.conf):

AccessLog, BrowseLDAPCACertFile, CacheDir, ConfigFilePerm, DataDir, DocumentRoot, ErrorLog, FatalErrors, FileDevice, FontPath, Group, LogFilePerm, LPDConfigFile, PageLog, Printcap, PrintcapFormat, PrintcapGUI, RemoteRoot, RequestRoot, ServerBin, ServerCertificate, ServerKey, ServerRoot, SMBConfigFile, StateDir, SystemGroup, SystemGroupAuthKey, TempDir, User

Comment 19 Huzaifa S. Sidhpurwala 2012-12-11 03:55:07 UTC
There are two factors which are needed for successful exploitation of this flaw.

1. This flaw can only be exploit by a local user that is member of one of the groups specified in cupsd.conf using SystemGroup configuration directive. For Red Hat Enterprise Linux 5 and 6, default groups in the SystemGroup are 'sys' and 'root'.

2. SELinux mitigates impact of the attack, limiting which read or written by the attacker.

Statement:

This issue affects the version of cups as shipped with Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw.

Comment 21 Fedora Update System 2013-01-12 01:01:19 UTC
cups-1.5.4-20.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Huzaifa S. Sidhpurwala 2013-02-14 05:18:27 UTC
The fix for this issue added to Red Hat Enterprise Linux 5 and 6 uses different approach to the one used by upstream and described in comment 17.  It introduces a new configuration directive called "ConfigurationChangeRestriction" in the cupsd.conf configuration file.  This directive tells cuspd whether it should allow changing certain other configuration directives via its web interface.  Restricted configuration directives are the same that were moved to cups-file.conf configuration file upstream (see comment 17 for the list).

ConfigurationChangeRestriction directive takes the following values:

1. "all" : This is the default value.  This option prevents all the users (both root user and members of one of the SystemGroup groups) from making any changes to the protected directives remotely via the cups web interface.  root user can still make changes locally by editing cupsd.conf configuration file directly.

2. "root-only" : Only root is allowed to make changes to the protected directives.  SystemGroup groups members are not allowed to change them.

3. "none" : Users in the SystemGroup groups and root can make changes to the above keywords remotely using the cups web interface.


Note that Red Hat Enterprise Linux 6 includes cups-pk-helper package, which may allow non-root user to change cups configuration, if system administrator grants them such privilege via PolicyKit (via the org.opensuse.cupspkhelper.mechanism.server-settings polkit action).  cups-pk-helper performs configuration changes as root user, therefore the ConfigurationChangeRestriction configuration must be set to "all" to prevent such users from changing protected directives.

Comment 24 Fedora Update System 2013-02-26 02:41:44 UTC
cups-1.5.4-18.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 errata-xmlrpc 2013-02-28 18:56:59 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0580 https://rhn.redhat.com/errata/RHSA-2013-0580.html


Note You need to log in before you can comment on or make changes to this bug.