1949119 – (CVE-2021-25317) CVE-2021-25317 cups: insecure permissions of /var/log/cups allows for symlink attacks

Bug 1949119 (CVE-2021-25317) - CVE-2021-25317 cups: insecure permissions of /var/log/cups allows for symlink attacks

Summary: CVE-2021-25317 cups: insecure permissions of /var/log/cups allows for symlink...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2021-25317
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1950903 1950124 1950125 1955090 1955091
Blocks:	1947565
TreeView+	depends on / blocked

Reported:	2021-04-13 13:18 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-11-15 13:09 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	It was found that some Linux vendors may assign the ownership of the /var/log/cups directory to the `lp` user. This could allow an attacker with such privileges to create empty files in arbitrary locations, or to force arbitrary files to be opened and closed, using a symlink attack. This has a low impact on the integrity of the system.
Clone Of:
Environment:
Last Closed:	2021-11-15 13:09:58 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-04-13 13:18:12 UTC

A flaw was found in the way some Linux Operating Systems install cups. 
If the default permissions of /var/log/cups allows the 'lp' user to write new files and that the cups daemon runs with root permissions, an attacker with access to the 'lp' user could use this flaw carry on a symlink attack.
However, because cupsd verifies wether the path is a symlink after opening it, the flaw can be used only to create empty files in arbitrary locations, or to force open()/close() system calls on arbitrary locations.

Because the code will correct the /var/log/cups permissions after the fail, the attacker can carry this attack only once.

# ps -FC cupsd                                                                                                                          
UID        PID  PPID  C    SZ   RSS PSR STIME TTY          TIME CMD                                                                                          
root     18686     1  0 86575  9900   0 07:55 ?        00:00:00 /usr/sbin/cupsd -l                                                                                                                                      

# ls -ld /var/log/cups/                                                                                                                 
drwxr-xr-x. 2 lp sys 68 Apr 14 07:39 /var/log/cups/

Comment 3 Cedric Buissart 2021-04-20 15:27:00 UTC

Acknowledgments:

Name: Matthias Gerstner

Comment 4 Cedric Buissart 2021-04-27 06:36:53 UTC

Statement:

This issue does not affect the upstream CUPS, only the CUPS versions as packaged by some OS vendors.

Comment 5 Cedric Buissart 2021-04-29 12:22:23 UTC

Created cups tracking bugs for this issue:

Affects: fedora-all [bug 1955090]

Note You need to log in before you can comment on or make changes to this bug.