AV:N/AC:L/Au:N/C:N/I:P/A:P/E:U/RL:OF/RC:C
-
The Common UNIX Printing System (CUPS) versions 1.3.3 and prior contain a vulnerability that can allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or execute arbitrary code with the privileges of the user.
The vulnerability exists in the ippReadIO() function when processing Internet Printing Protocol (IPP) tags. The function causes an off-by-one error when allocating space. An unauthenticated, remote attacker could send a request with crafted tags to overwrite one byte on the stack with a zero. The attacker could crash the daemon or possibly execute arbitrary code.
The vendor has confirmed this vulnerability in release notes and released an updated version.
The vulnerability requires the attacker to connect to the IPP TCP port to perform an attack. However, the default configuration of CUPS does not allow remote hosts to connect to this port. This configuration should mitigate the potential for this attack. IT departments that deploy and use CUPS without changing the default configuration may not be at risk.
The severity of the impact will vary depending on the system on which CUPS is deployed. If this system is used for multiple services, a DoS condition could cause other services besides the CUPS service to crash, which may affect other users and departments.
If code execution is accomplished, it will most likely be in the context of the CUPS user. This user probably has limited privileges.
-
CUPS has provided release notes at the following link: CUPS 1.3.4
Apple has released a security update at the following link: Security Update 2007-009
Avaya has released a security advisory at the following link: ASA-2007-476
Cisco has released a security response to address Cisco bug ID CSCsl92095 at the following link: cisco-sa-20080625-waas
Debian has released a security advisory at the following link: DSA-1407-1
FreeBSD has released a VuXML document at the following link: cups -- off-by-one buffer overflow
Gentoo has released a security advisory at the following link: GLSA 200711-16
Mandriva has released security advisories at the following links: MDKSA-2007:204 and MDKSA-2007:204-1
Red Hat has released security advisories at the following links: RHSA-2007:1020, RHSA-2007:1022, and RHSA-2007:1023
Slackware has released a security advisory at the following link: SSA:2007-305-01
SUSE has released a security announcement at the following link: SUSE-SA:2007:058
Turbolinux has released a security advisory at the following link: TLSA-2008-19
Ubuntu has released a security notice at the following link: USN-539-1
US-CERT has released a vulnerability note at the following link: VU#446897
-
Administrators are advised to apply the appropriate update.
Administrators are advised to restrict access to trusted users.
The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: Identifying and Mitigating Exploitation of the Wide Area Application Services Common UNIX Printing System Vulnerability
-
An updated version of CUPS is available at the following link: CUPS 1.3.4
Apple has released updated software at the following links:
Security Update 2007-009 (10.4.11 Universal)
Security Update 2007-009 (10.4.11 PPC)
Security Update 2007-009 (10.5.1)Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at tac@cisco.com.
Debian has released updated packages at the following link: Debian
FreeBSD releases ports collection updates at the following link: Ports Collection Index
Mandriva can be updated automatically using MandrivaUpdate.
Red Hat packages can be updated using the up2date command.
Slackware packages can be updated using the upgradepkg command.
SUSE has released updated packages; users can install the updates using YaST.
Turbolinux packages can be updated using the turbopkg command.
Ubuntu has released updated packages; users can install the updates using Update Manager.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.0 Initial Release NA Final 2007-Oct-31
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.