Vulnerabilities > CVE-2004-2154 - Improper Handling of Case Sensitivity vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
apple
canonical
CWE-178
critical
nessus

Summary

CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the directive.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-165.NASL
    descriptionA vulnerability in CUPS would treat a Location directive in cupsd.conf as case-sensitive, allowing attackers to bypass intended ACLs via a printer name containing uppercase or lowecase letters that are different from that which was specified in the Location directive. This issue only affects versions of CUPS prior to 1.1.21rc1. The updated packages have been patched to correct this problem.
    last seen2020-06-01
    modified2020-06-02
    plugin id19920
    published2005-10-05
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19920
    titleMandrake Linux Security Advisory : cups (MDKSA-2005:165)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2005:165. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19920);
      script_version ("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:48");
    
      script_cve_id("CVE-2004-2154");
      script_xref(name:"MDKSA", value:"2005:165");
    
      script_name(english:"Mandrake Linux Security Advisory : cups (MDKSA-2005:165)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A vulnerability in CUPS would treat a Location directive in cupsd.conf
    as case-sensitive, allowing attackers to bypass intended ACLs via a
    printer name containing uppercase or lowecase letters that are
    different from that which was specified in the Location directive.
    This issue only affects versions of CUPS prior to 1.1.21rc1.
    
    The updated packages have been patched to correct this problem."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cups-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cups-serial");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64cups2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64cups2-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libcups2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libcups2-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/09/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK10.0", reference:"cups-1.1.20-5.9.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", reference:"cups-common-1.1.20-5.9.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", reference:"cups-serial-1.1.20-5.9.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64cups2-1.1.20-5.9.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64cups2-devel-1.1.20-5.9.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libcups2-1.1.20-5.9.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libcups2-devel-1.1.20-5.9.100mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-571.NASL
    descriptionUpdated CUPS packages that fix a security issue are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. When processing a request, the CUPS scheduler would use case-sensitive matching on the queue name to decide which authorization policy should be used. However, queue names are not case-sensitive. An unauthorized user could print to a password-protected queue without needing a password. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2154 to this issue. Please note that the version of CUPS included in Red Hat Enterprise Linux 4 is not vulnerable to this issue. All users of CUPS should upgrade to these erratum packages which contain a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id21842
    published2006-07-03
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21842
    titleCentOS 3 : cups (CESA-2005:571)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2005:571 and 
    # CentOS Errata and Security Advisory 2005:571 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(21842);
      script_version("1.19");
      script_cvs_date("Date: 2019/10/25 13:36:02");
    
      script_cve_id("CVE-2004-2154");
      script_xref(name:"RHSA", value:"2005:571");
    
      script_name(english:"CentOS 3 : cups (CESA-2005:571)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated CUPS packages that fix a security issue are now available for
    Red Hat Enterprise Linux 3.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    The Common UNIX Printing System (CUPS) provides a portable printing
    layer for UNIX(R) operating systems.
    
    When processing a request, the CUPS scheduler would use case-sensitive
    matching on the queue name to decide which authorization policy should
    be used. However, queue names are not case-sensitive. An unauthorized
    user could print to a password-protected queue without needing a
    password. The Common Vulnerabilities and Exposures project has
    assigned the name CVE-2005-2154 to this issue.
    
    Please note that the version of CUPS included in Red Hat Enterprise
    Linux 4 is not vulnerable to this issue.
    
    All users of CUPS should upgrade to these erratum packages which
    contain a backported patch to correct this issue."
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-July/011932.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?f95c44db"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-July/011934.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0b0b020e"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-July/011935.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?8565f41c"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected cups packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cups-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cups-libs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/07/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-3", reference:"cups-1.1.17-13.3.29")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"cups-devel-1.1.17-13.3.29")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"cups-libs-1.1.17-13.3.29")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cups / cups-devel / cups-libs");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-185-1.NASL
    descriptionA flaw was detected in the printer access control list checking in the CUPS server. Printer names were compared in a case sensitive manner; by modifying the capitalization of printer names, a remote attacker could circumvent ACLs and print to printers he should not have access to. The Ubuntu 5.04 version of cupsys is not vulnerable against this. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id20596
    published2006-01-15
    reporterUbuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20596
    titleUbuntu 4.10 : cupsys vulnerability (USN-185-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-571.NASL
    descriptionUpdated CUPS packages that fix a security issue are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. When processing a request, the CUPS scheduler would use case-sensitive matching on the queue name to decide which authorization policy should be used. However, queue names are not case-sensitive. An unauthorized user could print to a password-protected queue without needing a password. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2154 to this issue. Please note that the version of CUPS included in Red Hat Enterprise Linux 4 is not vulnerable to this issue. All users of CUPS should upgrade to these erratum packages which contain a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id19213
    published2005-07-16
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19213
    titleRHEL 3 : cups (RHSA-2005:571)

Oval

accepted2013-04-29T04:23:28.966-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
descriptionCUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the directive.
familyunix
idoval:org.mitre.oval:def:9940
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleCUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the directive.
version26

Redhat

advisories
rhsa
idRHSA-2005:571
rpms
  • cups-1:1.1.17-13.3.29
  • cups-debuginfo-1:1.1.17-13.3.29
  • cups-devel-1:1.1.17-13.3.29
  • cups-libs-1:1.1.17-13.3.29