Vulnerabilities > CVE-2004-2154 - Improper Handling of Case Sensitivity vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the directive.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-165.NASL description A vulnerability in CUPS would treat a Location directive in cupsd.conf as case-sensitive, allowing attackers to bypass intended ACLs via a printer name containing uppercase or lowecase letters that are different from that which was specified in the Location directive. This issue only affects versions of CUPS prior to 1.1.21rc1. The updated packages have been patched to correct this problem. last seen 2020-06-01 modified 2020-06-02 plugin id 19920 published 2005-10-05 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19920 title Mandrake Linux Security Advisory : cups (MDKSA-2005:165) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2005:165. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(19920); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2004-2154"); script_xref(name:"MDKSA", value:"2005:165"); script_name(english:"Mandrake Linux Security Advisory : cups (MDKSA-2005:165)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability in CUPS would treat a Location directive in cupsd.conf as case-sensitive, allowing attackers to bypass intended ACLs via a printer name containing uppercase or lowecase letters that are different from that which was specified in the Location directive. This issue only affects versions of CUPS prior to 1.1.21rc1. The updated packages have been patched to correct this problem." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cups"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cups-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cups-serial"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64cups2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64cups2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libcups2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libcups2-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"patch_publication_date", value:"2005/09/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", reference:"cups-1.1.20-5.9.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"cups-common-1.1.20-5.9.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"cups-serial-1.1.20-5.9.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64cups2-1.1.20-5.9.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64cups2-devel-1.1.20-5.9.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libcups2-1.1.20-5.9.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libcups2-devel-1.1.20-5.9.100mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-571.NASL description Updated CUPS packages that fix a security issue are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. When processing a request, the CUPS scheduler would use case-sensitive matching on the queue name to decide which authorization policy should be used. However, queue names are not case-sensitive. An unauthorized user could print to a password-protected queue without needing a password. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2154 to this issue. Please note that the version of CUPS included in Red Hat Enterprise Linux 4 is not vulnerable to this issue. All users of CUPS should upgrade to these erratum packages which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 21842 published 2006-07-03 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21842 title CentOS 3 : cups (CESA-2005:571) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:571 and # CentOS Errata and Security Advisory 2005:571 respectively. # include("compat.inc"); if (description) { script_id(21842); script_version("1.19"); script_cvs_date("Date: 2019/10/25 13:36:02"); script_cve_id("CVE-2004-2154"); script_xref(name:"RHSA", value:"2005:571"); script_name(english:"CentOS 3 : cups (CESA-2005:571)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated CUPS packages that fix a security issue are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. When processing a request, the CUPS scheduler would use case-sensitive matching on the queue name to decide which authorization policy should be used. However, queue names are not case-sensitive. An unauthorized user could print to a password-protected queue without needing a password. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2154 to this issue. Please note that the version of CUPS included in Red Hat Enterprise Linux 4 is not vulnerable to this issue. All users of CUPS should upgrade to these erratum packages which contain a backported patch to correct this issue." ); # https://lists.centos.org/pipermail/centos-announce/2005-July/011932.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f95c44db" ); # https://lists.centos.org/pipermail/centos-announce/2005-July/011934.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0b0b020e" ); # https://lists.centos.org/pipermail/centos-announce/2005-July/011935.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8565f41c" ); script_set_attribute(attribute:"solution", value:"Update the affected cups packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cups"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cups-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cups-libs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/31"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-3", reference:"cups-1.1.17-13.3.29")) flag++; if (rpm_check(release:"CentOS-3", reference:"cups-devel-1.1.17-13.3.29")) flag++; if (rpm_check(release:"CentOS-3", reference:"cups-libs-1.1.17-13.3.29")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cups / cups-devel / cups-libs"); }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-185-1.NASL description A flaw was detected in the printer access control list checking in the CUPS server. Printer names were compared in a case sensitive manner; by modifying the capitalization of printer names, a remote attacker could circumvent ACLs and print to printers he should not have access to. The Ubuntu 5.04 version of cupsys is not vulnerable against this. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20596 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20596 title Ubuntu 4.10 : cupsys vulnerability (USN-185-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-571.NASL description Updated CUPS packages that fix a security issue are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. When processing a request, the CUPS scheduler would use case-sensitive matching on the queue name to decide which authorization policy should be used. However, queue names are not case-sensitive. An unauthorized user could print to a password-protected queue without needing a password. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2154 to this issue. Please note that the version of CUPS included in Red Hat Enterprise Linux 4 is not vulnerable to this issue. All users of CUPS should upgrade to these erratum packages which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 19213 published 2005-07-16 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19213 title RHEL 3 : cups (RHSA-2005:571)
Oval
| accepted | 2013-04-29T04:23:28.966-04:00 | ||||||||
| class | vulnerability | ||||||||
| contributors |
| ||||||||
| definition_extensions |
| ||||||||
| description | CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the directive. | ||||||||
| family | unix | ||||||||
| id | oval:org.mitre.oval:def:9940 | ||||||||
| status | accepted | ||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||
| title | CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the directive. | ||||||||
| version | 26 |
Redhat
| advisories |
| ||||
| rpms |
|
References
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162405
- http://www.cups.org/str.php?L700
- http://www.redhat.com/support/errata/RHSA-2005-571.html
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163274
- http://www.ubuntu.com/usn/usn-185-1
- http://www.novell.com/linux/security/advisories/2005_18_sr.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9940