The web interface for CUPS before 1.3.10 does not validate the HTTP Host header in a client request, which makes it easier for remote attackers to conduct DNS rebinding attacks.

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - cups: code execution via unescape ANSI escape sequences (CVE-2014-8166)

  - cups: incorrect string reference counting (VU#810572) (CVE-2015-1158)

  - The web interface for CUPS before 1.3.10 does not validate the HTTP Host header in a client request, which     makes it easier for remote attackers to conduct DNS rebinding attacks. (CVE-2009-0164)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 4 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched.

  - cups: insufficient checking of the HTTP Host: header (CVE-2009-0164)

Note that Nessus has not tested for this issue but has instead relied on the package manager's report that the package is installed.

The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. 

Mac OS X 10.5.7 contains security fixes for the following products :

  - Apache
  - ATS
  - BIND
  - CFNetwork
  - CoreGraphics
  - Cscope
  - CUPS
  - Disk Images
  - enscript
  - Flash Player plug-in
  - Help Viewer
  - iChat
  - International Components for Unicode
  - IPSec
  - Kerberos
  - Kernel
  - Launch Services
  - libxml
  - Net-SNMP
  - Network Time
  - Networking
  - OpenSSL
  - PHP
  - QuickDraw Manager
  - ruby
  - Safari
  - Spotlight
  - system_cmds
  - telnet
  - Terminal
  - WebKit
  - X11

The remote host is running a version of Mac OS X 10.4 that does not have Security Update 2009-002 applied.

This security update contains fixes for the following products :

  - Apache
  - ATS
  - BIND
  - CoreGraphics
  - Cscope
  - CUPS
  - Disk Images
  - enscript
  - Flash Player plug-in
  - Help Viewer
  - IPSec
  - Kerberos
  - Launch Services
  - libxml
  - Net-SNMP
  - Network Time
  - OpenSSL
  - QuickDraw Manager
  - Spotlight
  - system_cmds
  - telnet
  - Terminal
  - X11

Gentoo security team summarizes :

The following issues were reported in CUPS :

- iDefense reported an integer overflow in the _cupsImageReadTIFF() function in the 'imagetops' filter, leading to a heap-based buffer overflow (CVE-2009-0163).

- Aaron Siegel of Apple Product Security reported that the CUPS web interface does not verify the content of the 'Host' HTTP header properly (CVE-2009-0164).

- Braden Thomas and Drew Yao of Apple Product Security reported that CUPS is vulnerable to CVE-2009-0146, CVE-2009-0147 and CVE-2009-0166, found earlier in xpdf and poppler.

A remote attacker might send or entice a user to send a specially crafted print job to CUPS, possibly resulting in the execution of arbitrary code with the privileges of the configured CUPS user -- by default this is 'lp', or a Denial of Service. Furthermore, the web interface could be used to conduct DNS rebinding attacks.

New cups packages are available for Slackware 12.0, 12.1, 12.2, and
-current to fix security issues.

The remote host is affected by the vulnerability described in GLSA-200904-20 (CUPS: Multiple vulnerabilities)

    The following issues were reported in CUPS:
    iDefense     reported an integer overflow in the _cupsImageReadTIFF() function in     the 'imagetops' filter, leading to a heap-based buffer overflow     (CVE-2009-0163).
    Aaron Siegel of Apple Product Security     reported that the CUPS web interface does not verify the content of the     'Host' HTTP header properly (CVE-2009-0164).
    Braden Thomas and     Drew Yao of Apple Product Security reported that CUPS is vulnerable to     CVE-2009-0146, CVE-2009-0147 and CVE-2009-0166, found earlier in xpdf     and poppler.
  Impact :

    A remote attacker might send or entice a user to send a specially     crafted print job to CUPS, possibly resulting in the execution of     arbitrary code with the privileges of the configured CUPS user -- by     default this is 'lp', or a Denial of Service. Furthermore, the web     interface could be used to conduct DNS rebinding attacks.
  Workaround :

    There is no known workaround at this time.

This update fixes several security issues: CVE-2009-0163, CVE-2009-0164, CVE-2009-0146, CVE-2009-0147, and CVE-2009-0166. PDF files are now converted to PostScript using the poppler package's 'pdftops' program. NOTE: If your CUPS server is accessed using a hostname or hostnames not known to the server itself you must add 'ServerAlias hostname' to cupsd.conf for each such name. The special line 'ServerAlias *' disables checking (but this allows DNS rebinding attacks).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of CUPS installed on the remote host is earlier than 1.3.10. Such versions are affected by several issues :

  - A potential integer overflow in the PNG image validation     code in '_cupsImageReadPNG()' could allow an attacker to     crash the affected service or possibly execute arbitrary     code. (STR #2974)

  - A heap-based integer overflow exists in     '_cupsImageReadTIFF()' due to a failure to properly     validate the image height of a specially crafted TIFF     file, which can be leveraged to execute arbitrary code.
    (STR #3031)

  - The web interface may be vulnerable to DNS rebinding     attacks due to a failure to validate the HTTP Host     header in incoming requests. (STR #3118)

  - A heap-based buffer overflow in pdftops allows remote     attackers to execute arbitrary code via a PDF file with     crafted JBIG2 symbol dictionary segments.
    (CVE-2009-0195)

  - Flawed 'ip' structure initialization in the function     'ippReadIO()' could allow an anonymous remote attacker     to crash the application via a malicious IPP request     packet with two consecutives IPP_TAG_UNSUPPORTED tags.
    (CVE-2009-0949)

According to its banner, the version of CUPS installed on the remote host is earlier than 1.3.10.  Such versions are affected by multiple integer overflow vulnerabilities : 

  - A potential integer overflow in the PNG image validation code in '_cupsImageReadPNG()'. (STR #2974)

  - A heap-based integer overflow in '_cupsImageReadTIFF()'. (STR #3031)

  - The web interface may be vulnerable to DNS rebinding attacks due to a failure to validate the HTTP Host header in incoming requests. (STR #3118)

  - A heap-based buffer overflow in pdftops. (CVE-2009-0195)

  - Flawed 'ip' structure initialization in the function 'ippReadIO()' could allow an attacker to crash the application.

The remote host is running a version of Mac OS X 10.5 that is older than version 10.5.7.  Mac OS X 10.5.7 contains security fixes for the following products : 

- Apache
- ATS
- BIND
- CFNetwork
- CoreGraphics
-Cscope
- CUPS
- Disk Images
- enscript
- Flash player
- Help Viewer
- iChat
- Internation Components for Unicode
- IPSec
- Kerberos
- Kernel
- Launch Services
- libxml
- Net-SNMP
- Network Time
- Networking
- OpenSSL
- PHP
- QuickDraw Manager
- ruby
- Safari
- Spotlight
- system_cmds
- telnet
- WebKit
- X11
- Terminal

ID	Name	Product	Family	Severity
198649	RHEL 5 : cups (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
198608	RHEL 4 : cups (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
38744	Mac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
38743	Mac OS X Multiple Vulnerabilities (Security Update 2009-002)	Nessus	MacOS X Local Security Checks	critical
38705	FreeBSD : cups -- remote code execution and DNS rebinding (736e55bc-39bb-11de-a493-001b77d09812)	Nessus	FreeBSD Local Security Checks	medium
38166	Slackware 12.0 / 12.1 / 12.2 / current : cups (SSA:2009-116-01)	Nessus	Slackware Local Security Checks	medium
38161	GLSA-200904-20 : CUPS: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
37075	Fedora 10 : cups-1.3.10-1.fc10 (2009-3769)	Nessus	Fedora Local Security Checks	medium
36209	Fedora 9 : cups-1.3.10-1.fc9 (2009-3753)	Nessus	Fedora Local Security Checks	medium
36183	CUPS < 1.3.10 Multiple Vulnerabilities	Nessus	Misc.	high
4771	CUPS < 1.3.10 Multiple Overflows	Nessus Network Monitor	Web Servers	high
5023	Mac OS X 10.5 < 10.5.7 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
800792	Mac OS X 10.5 < 10.5.7 Multiple Vulnerabilities	Log Correlation Engine	Operating System Detection	high

Detections

Analytics

CVE-2009-0164

high

Tenable Plugins

high

high

critical

critical

medium

medium

medium

medium

medium

high

high

critical

high