Vulnerabilities > CVE-2017-18190 - Authentication Bypass by Spoofing vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
apple
debian
canonical
CWE-290
nessus

Summary

A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).

Vulnerable Configurations

Part Description Count
Application
Apple
131
OS
Debian
2
OS
Canonical
2

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Exploitation of Session Variables, Resource IDs and other Trusted Credentials
    Attacks on session IDs and resource IDs take advantage of the fact that some software accepts user input without verifying its authenticity. For example, a message queuing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or indeed the process that wrote the message to the queue are authentic and authorized to do so. Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes "trust" other systems because they are behind a firewall. In a similar way servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Session IDs may be guessed due to insufficient randomness, poor protection (passed in the clear), lack of integrity (unsigned), or improperly correlation with access control policy enforcement points. Exposed configuration and properties files that contain system passwords, database connection strings, and such may also give an attacker an edge to identify these identifiers. The net result is that spoofing and impersonation is possible leading to an attacker's ability to break authentication, authorization, and audit controls on the system.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Creating a Rogue Certificate Authority Certificate
    An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
  • Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
    When web services require callees to authenticate, they sometimes issue a token / secret to the caller that the caller is to use to sign their web service calls. In one such scheme the caller when constructing a request would concatenate all of the parameters passed to the web service with the provided authentication token and then generate a hash of the concatenated string (e.g., MD5, SHA1, etc.). That hash then forms the signature that is passed to the web service which is used on the server side to verify the origin authenticity and integrity of the message. There is a practical attack against an authentication scheme of this nature that makes use of the hash function extension / padding weakness. Leveraging this weakness, an attacker, who does not know the secret token, is able to modify the parameters passed to the web service by generating their own call and still generate a legitimate signature hash. For instance, consider the message to be passed to the web service is M (this message includes the parameters passed to the web service concatenated with the secret token / key bytes). The message M is hashed and that hash is passed to the web service and is used for authentication. The attacker does not know M, but can see Hash (M) and Length (M). The attacker can then compute Hash (M || Padding (M) II M') for any M'. The attacker does not know the entire message M, specifically the attacker does not know the secret bytes, but that does not matter. The attacker is still able to sign their own message M' and make the called web service verify the integrity of the message without an error. Because of the iterative design of the hash function, it is possible, from only the hash of a message and its length, to compute the hash of longer messages that start with the initial message and include the padding required for the initial message to reach a multiple of 512 bits. It is important to note that the attack not limited to MD5 and will work just as well with another hash function like SHA1.
  • Signature Spoof
    An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0604-1.NASL
    descriptionThis update for cups fixes the following issues : - CVE-2017-18190: Removed localhost.localdomain from list of trustworthy hosts in scheduler/client.c to avoid arbitrary IPP command execution in conjunction with DNS rebinding. (bsc#1081557) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id107141
    published2018-03-06
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107141
    titleSUSE SLED12 / SLES12 Security Update : cups (SUSE-SU-2018:0604-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:0604-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(107141);
      script_version("3.7");
      script_cvs_date("Date: 2019/09/10 13:51:47");
    
      script_cve_id("CVE-2017-18190");
    
      script_name(english:"SUSE SLED12 / SLES12 Security Update : cups (SUSE-SU-2018:0604-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for cups fixes the following issues :
    
      - CVE-2017-18190: Removed localhost.localdomain from list
        of trustworthy hosts in scheduler/client.c to avoid
        arbitrary IPP command execution in conjunction with DNS
        rebinding. (bsc#1081557)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081557"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-18190/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20180604-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5aa0f488"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE OpenStack Cloud 6:zypper in -t patch
    SUSE-OpenStack-Cloud-6-2018-410=1
    
    SUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t
    patch SUSE-SLE-SDK-12-SP3-2018-410=1
    
    SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t
    patch SUSE-SLE-SDK-12-SP2-2018-410=1
    
    SUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch
    SUSE-SLE-SAP-12-SP1-2018-410=1
    
    SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t
    patch SUSE-SLE-RPI-12-SP2-2018-410=1
    
    SUSE Linux Enterprise Server 12-SP3:zypper in -t patch
    SUSE-SLE-SERVER-12-SP3-2018-410=1
    
    SUSE Linux Enterprise Server 12-SP2:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-2018-410=1
    
    SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-SP1-2018-410=1
    
    SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-2018-410=1
    
    SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP3-2018-410=1
    
    SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP2-2018-410=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:cups-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:cups-client-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:cups-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:cups-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:cups-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:cups-libs-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/03/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(0|1|2|3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0/1/2/3", os_ver + " SP" + sp);
    if (os_ver == "SLED12" && (! preg(pattern:"^(2|3)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP2/3", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"1", reference:"cups-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"cups-client-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"cups-client-debuginfo-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"cups-debuginfo-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"cups-debugsource-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"cups-libs-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"cups-libs-debuginfo-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"cups-libs-32bit-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"cups-libs-debuginfo-32bit-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"cups-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"cups-client-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"cups-client-debuginfo-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"cups-debuginfo-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"cups-debugsource-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"cups-libs-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"cups-libs-debuginfo-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"cups-libs-32bit-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"cups-libs-debuginfo-32bit-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"cups-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"cups-client-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"cups-client-debuginfo-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"cups-debuginfo-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"cups-debugsource-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"cups-libs-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"cups-libs-debuginfo-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"cups-libs-32bit-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"cups-libs-debuginfo-32bit-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"cups-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"cups-client-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"cups-client-debuginfo-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"cups-debuginfo-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"cups-debugsource-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"cups-libs-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"cups-libs-debuginfo-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"cups-libs-32bit-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"cups-libs-debuginfo-32bit-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"cups-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"cups-client-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"cups-client-debuginfo-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"cups-debuginfo-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"cups-debugsource-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"cups-libs-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"cups-libs-32bit-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"cups-libs-debuginfo-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"cups-libs-debuginfo-32bit-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"cups-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"cups-client-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"cups-client-debuginfo-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"cups-debuginfo-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"cups-debugsource-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"cups-libs-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"cups-libs-32bit-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"cups-libs-debuginfo-1.7.5-20.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"cups-libs-debuginfo-32bit-1.7.5-20.3.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cups");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1412.NASL
    descriptionTwo vulnerabilities affecting the cups printing server were found which can lead to arbitrary IPP command execution and denial of service. CVE-2017-18190 A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1). CVE-2017-18248 The add_job function in scheduler/ipp.c in CUPS before 2.2.6, when D-Bus support is enabled, can be crashed by remote attackers by sending print jobs with an invalid username, related to a D-Bus notification. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id110909
    published2018-07-05
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110909
    titleDebian DLA-1412-1 : cups security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1412-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110909);
      script_version("1.3");
      script_cvs_date("Date: 2018/08/08 12:52:14");
    
      script_cve_id("CVE-2017-18190", "CVE-2017-18248");
    
      script_name(english:"Debian DLA-1412-1 : cups security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Two vulnerabilities affecting the cups printing server were found
    which can lead to arbitrary IPP command execution and denial of
    service.
    
    CVE-2017-18190
    
    A localhost.localdomain whitelist entry in valid_host() in
    scheduler/client.c in CUPS before 2.2.2 allows remote attackers to
    execute arbitrary IPP commands by sending POST requests to the CUPS
    daemon in conjunction with DNS rebinding. The localhost.localdomain
    name is often resolved via a DNS server (neither the OS nor the web
    browser is responsible for ensuring that localhost.localdomain is
    127.0.0.1).
    
    CVE-2017-18248
    
    The add_job function in scheduler/ipp.c in CUPS before 2.2.6, when
    D-Bus support is enabled, can be crashed by remote attackers by
    sending print jobs with an invalid username, related to a D-Bus
    notification.
    
    For Debian 8 'Jessie', these problems have been fixed in version
    1.7.5-11+deb8u3.
    
    We recommend that you upgrade your cups packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2018/07/msg00003.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/cups"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-bsd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-core-drivers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-daemon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-ppdc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-server-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcups2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcups2-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupscgi1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupscgi1-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupsimage2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupsimage2-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupsmime1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupsmime1-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupsppdc1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupsppdc1-dev");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/07/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"cups", reference:"1.7.5-11+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"cups-bsd", reference:"1.7.5-11+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"cups-client", reference:"1.7.5-11+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"cups-common", reference:"1.7.5-11+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"cups-core-drivers", reference:"1.7.5-11+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"cups-daemon", reference:"1.7.5-11+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"cups-dbg", reference:"1.7.5-11+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"cups-ppdc", reference:"1.7.5-11+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"cups-server-common", reference:"1.7.5-11+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"libcups2", reference:"1.7.5-11+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"libcups2-dev", reference:"1.7.5-11+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"libcupscgi1", reference:"1.7.5-11+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"libcupscgi1-dev", reference:"1.7.5-11+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"libcupsimage2", reference:"1.7.5-11+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"libcupsimage2-dev", reference:"1.7.5-11+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"libcupsmime1", reference:"1.7.5-11+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"libcupsmime1-dev", reference:"1.7.5-11+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"libcupsppdc1", reference:"1.7.5-11+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"libcupsppdc1-dev", reference:"1.7.5-11+deb8u3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1288.NASL
    descriptionIt was discovered that there was an issue in the CUPS printer framework where remote attackers could execute arbitrary commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. This was caused by a whitelisted
    last seen2020-03-17
    modified2018-02-23
    plugin id106953
    published2018-02-23
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106953
    titleDebian DLA-1288-1 : cups security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1288-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(106953);
      script_version("3.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2017-18190");
    
      script_name(english:"Debian DLA-1288-1 : cups security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that there was an issue in the CUPS printer
    framework where remote attackers could execute arbitrary commands by
    sending POST requests to the CUPS daemon in conjunction with DNS
    rebinding. This was caused by a whitelisted 'localhost.localdomain'
    entry.
    
    For Debian 7 'Wheezy', this issue has been fixed in cups version
    1.5.3-5+deb7u7.
    
    We recommend that you upgrade your cups packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2018/02/msg00023.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/cups"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-bsd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups-ppdc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cupsddk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcups2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcups2-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupscgi1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupscgi1-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupsdriver1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupsdriver1-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupsimage2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupsimage2-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupsmime1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupsmime1-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupsppdc1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcupsppdc1-dev");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/02/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"cups", reference:"1.5.3-5+deb7u7")) flag++;
    if (deb_check(release:"7.0", prefix:"cups-bsd", reference:"1.5.3-5+deb7u7")) flag++;
    if (deb_check(release:"7.0", prefix:"cups-client", reference:"1.5.3-5+deb7u7")) flag++;
    if (deb_check(release:"7.0", prefix:"cups-common", reference:"1.5.3-5+deb7u7")) flag++;
    if (deb_check(release:"7.0", prefix:"cups-dbg", reference:"1.5.3-5+deb7u7")) flag++;
    if (deb_check(release:"7.0", prefix:"cups-ppdc", reference:"1.5.3-5+deb7u7")) flag++;
    if (deb_check(release:"7.0", prefix:"cupsddk", reference:"1.5.3-5+deb7u7")) flag++;
    if (deb_check(release:"7.0", prefix:"libcups2", reference:"1.5.3-5+deb7u7")) flag++;
    if (deb_check(release:"7.0", prefix:"libcups2-dev", reference:"1.5.3-5+deb7u7")) flag++;
    if (deb_check(release:"7.0", prefix:"libcupscgi1", reference:"1.5.3-5+deb7u7")) flag++;
    if (deb_check(release:"7.0", prefix:"libcupscgi1-dev", reference:"1.5.3-5+deb7u7")) flag++;
    if (deb_check(release:"7.0", prefix:"libcupsdriver1", reference:"1.5.3-5+deb7u7")) flag++;
    if (deb_check(release:"7.0", prefix:"libcupsdriver1-dev", reference:"1.5.3-5+deb7u7")) flag++;
    if (deb_check(release:"7.0", prefix:"libcupsimage2", reference:"1.5.3-5+deb7u7")) flag++;
    if (deb_check(release:"7.0", prefix:"libcupsimage2-dev", reference:"1.5.3-5+deb7u7")) flag++;
    if (deb_check(release:"7.0", prefix:"libcupsmime1", reference:"1.5.3-5+deb7u7")) flag++;
    if (deb_check(release:"7.0", prefix:"libcupsmime1-dev", reference:"1.5.3-5+deb7u7")) flag++;
    if (deb_check(release:"7.0", prefix:"libcupsppdc1", reference:"1.5.3-5+deb7u7")) flag++;
    if (deb_check(release:"7.0", prefix:"libcupsppdc1-dev", reference:"1.5.3-5+deb7u7")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-225.NASL
    descriptionThis update for cups fixes the following issues : - CVE-2017-18190: Removed localhost.localdomain from list of trustworthy hosts in scheduler/client.c to avoid arbitrary IPP command execution in conjunction with DNS rebinding. (bsc#1081557) This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2018-03-07
    plugin id107180
    published2018-03-07
    reporterThis script is Copyright (C) 2018-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/107180
    titleopenSUSE Security Update : cups (openSUSE-2018-225)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2018-225.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(107180);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-18190");
    
      script_name(english:"openSUSE Security Update : cups (openSUSE-2018-225)");
      script_summary(english:"Check for the openSUSE-2018-225 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for cups fixes the following issues :
    
      - CVE-2017-18190: Removed localhost.localdomain from list
        of trustworthy hosts in scheduler/client.c to avoid
        arbitrary IPP command execution in conjunction with DNS
        rebinding. (bsc#1081557)
    
    This update was imported from the SUSE:SLE-12:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1081557"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected cups packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-client-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-ddk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-ddk-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-libs-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-libs-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cups-libs-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/03/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/07");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.3", reference:"cups-1.7.5-12.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"cups-client-1.7.5-12.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"cups-client-debuginfo-1.7.5-12.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"cups-ddk-1.7.5-12.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"cups-ddk-debuginfo-1.7.5-12.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"cups-debuginfo-1.7.5-12.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"cups-debugsource-1.7.5-12.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"cups-devel-1.7.5-12.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"cups-libs-1.7.5-12.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"cups-libs-debuginfo-1.7.5-12.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"cups-libs-32bit-1.7.5-12.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"cups-libs-debuginfo-32bit-1.7.5-12.3.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cups / cups-client / cups-client-debuginfo / cups-ddk / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1080.NASL
    descriptionAccording to the versions of the cups packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - CUPS printing system provides a portable printing layer for UNIXA(r) operating systems. It has been developed by Apple Inc.to promote a standard printing solution for all UNIX vendors and users.CUPS provides the System V and Berkeley command-line interfaces. - Security fix(es): - A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).(CVE-2017-18190) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2018-05-02
    plugin id109478
    published2018-05-02
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109478
    titleEulerOS 2.0 SP2 : cups (EulerOS-SA-2018-1080)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109478);
      script_version("1.11");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2017-18190"
      );
    
      script_name(english:"EulerOS 2.0 SP2 : cups (EulerOS-SA-2018-1080)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the cups packages installed, the EulerOS
    installation on the remote host is affected by the following
    vulnerabilities :
    
      - CUPS printing system provides a portable printing layer
        for UNIXA(r) operating systems. It has been developed by
        Apple Inc.to promote a standard printing solution for
        all UNIX vendors and users.CUPS provides the System V
        and Berkeley command-line interfaces.
    
      - Security fix(es):
    
      - A localhost.localdomain whitelist entry in valid_host()
        in scheduler/client.c in CUPS before 2.2.2 allows
        remote attackers to execute arbitrary IPP commands by
        sending POST requests to the CUPS daemon in conjunction
        with DNS rebinding. The localhost.localdomain name is
        often resolved via a DNS server (neither the OS nor the
        web browser is responsible for ensuring that
        localhost.localdomain is 127.0.0.1).(CVE-2017-18190)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1080
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?24760dbe");
      script_set_attribute(attribute:"solution", value:
    "Update the affected cups packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/03/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/02");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:cups-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:cups-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:cups-filesystem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:cups-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:cups-lpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["cups-1.6.3-26.h1",
            "cups-client-1.6.3-26.h1",
            "cups-devel-1.6.3-26.h1",
            "cups-filesystem-1.6.3-26.h1",
            "cups-libs-1.6.3-26.h1",
            "cups-lpd-1.6.3-26.h1"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cups");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1079.NASL
    descriptionAccording to the versions of the cups packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - CUPS printing system provides a portable printing layer for UNIXA(r) operating systems. It has been developed by Apple Inc.to promote a standard printing solution for all UNIX vendors and users.CUPS provides the System V and Berkeley command-line interfaces. - Security fix(es): - A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).(CVE-2017-18190) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2018-05-02
    plugin id109477
    published2018-05-02
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109477
    titleEulerOS 2.0 SP1 : cups (EulerOS-SA-2018-1079)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1329.NASL
    descriptionAccording to the versions of the cups package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - CUPS printing system provides a portable printing layer for UNIXA(r) operating systems. It has been developed by Apple Inc.to promote a standard printing solution for all UNIX vendors and users.CUPS provides the System V and Berkeley command-line interfaces. - Security fix(es): - A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).(CVE-2017-18190) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-19
    modified2018-10-26
    plugin id118417
    published2018-10-26
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118417
    titleEulerOS Virtualization 2.5.0 : cups (EulerOS-SA-2018-1329)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3577-1.NASL
    descriptionJann Horn discovered that CUPS permitted HTTP requests with the Host header set to
    last seen2020-06-01
    modified2020-06-02
    plugin id106929
    published2018-02-21
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106929
    titleUbuntu 14.04 LTS / 16.04 LTS : cups vulnerability (USN-3577-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1432.NASL
    descriptionAccording to the versions of the cups package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the
    last seen2020-06-01
    modified2020-06-02
    plugin id124935
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124935
    titleEulerOS Virtualization 3.0.1.0 : cups (EulerOS-SA-2019-1432)