The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2009-1595 advisory.

    - Applied patch to fix CVE-2009-3553 (bug #530111, STR #3200).

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

[Updated 12th January 2010] The packages list in this erratum has been updated to include missing i386 packages for Red Hat Enterprise Linux Desktop and RHEL Desktop Workstation.

The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems.

A use-after-free flaw was found in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could, in a specially crafted way, query for the list of current print jobs for a specific printer, leading to a denial of service (cupsd crash).
(CVE-2009-3553)

Several cross-site scripting (XSS) flaws were found in the way the CUPS web server interface processed HTML form content. If a remote attacker could trick a local user who is logged into the CUPS web interface into visiting a specially crafted HTML page, the attacker could retrieve and potentially modify confidential CUPS administration data. (CVE-2009-2820)

Red Hat would like to thank Aaron Sigel of Apple Product Security for responsibly reporting the CVE-2009-2820 issue.

Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the cupsd daemon will be restarted automatically.

Multiple vulnerabilities has been found and corrected in cups :

CUPS in does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs (CVE-2009-2820).

Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third-party information (CVE-2009-3553).

Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7, 1.3.9, 1.3.10, and 1.4.1, when kqueue or epoll is used, allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third-party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-3553 (CVE-2010-0302).

The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS 1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable to determine the file that provides localized message strings, which allows local users to gain privileges via a file that contains crafted localization data with format string specifiers (CVE-2010-0393).

The updated packages have been patched to correct these issues.

Update :

Packages for Mandriva Linux 2010.0 was missing with MDVSA-2010:073.
This advisory provides packages for 2010.0 as well.

Aaron Siegel discovered that the web interface of cups, the Common UNIX Printing System, is prone to cross-site scripting attacks.

The cups web interface was prone to Cross-Site Scripting (XSS) problems (CVE-2009-2820).

A use-after-free problem in cupsd allowed remote attackers to crash the cups server (CVE-2009-3553).

This fixes CVE-2009-2820, an XSS vulnerability in the web interface.
This also updates cups to the latest stable release on the 1.3 branch, and fixes a problem with number-up handling.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New release, including fix for XSS vulnerability in web interface (CVE-2009-2820) and for improper reference counting in abstract file descriptors handling interface (CVE-2009-3553).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated to 1.4.2 including XSS security fix (CVE-2009-2820). Fixed improper reference counting in abstract file descriptors handling interface (CVE-2009-3553). Fixed admin.cgi crash when modifying a class. Fix cups-lpd to create unique temporary data files. Pass through serial parameters correctly in web interface. Set the PRINTER_IS_SHARED variable for admin.cgi Fix removing files with lprm.
Fixed German translation. Fixed PostScript errors with number-up handling. Fixed lspp-patch to avoid memory leak. Upstream fix for GNU TLS error handling bug. Reset SIGPIPE handler for child processes.
Fixed typo in admin web template. Fixed incorrect handling of out-of-memory when loading jobs. Fixed wrong driver reported in web interface.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The cups web interface was prone to Cross-Site Scripting (XSS) problems. (CVE-2009-2820)

The cups web interface was prone to Cross-Site Scripting (XSS) problems (CVE-2009-2820).

According to its banner, the version of CUPS installed on the remote host is earlier than 1.4.2.  Such versions are potentially affected by a cross-site scripting vulnerability because the application fails to properly sanitize the 'kerberos' parameter.

According to its banner, the version of CUPS installed on the remote host is earlier than 1.4.2. The 'kerberos' parameter in such versions is not properly sanitized before being used to generate dynamic HTML content.

An attacker can leverage this issue via a combination of attribute injection and HTTP Parameter Pollution to inject arbitrary script code into a user's browser to be executed within the security context of the affected site.

Aaron Sigel discovered that the CUPS web interface incorrectly protected against cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. If an authenticated user were tricked into visiting a malicious website while logged into CUPS, a remote attacker could modify the CUPS configuration and possibly steal confidential data.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running a version of Mac OS X 10.6 that is older than version 10.6.2.  Mac OS X 10.6.2 contains security fixes for the following products : 

  - Adaptive Firewall

  - Apache

  - Apache Protable Runtime

  - Certificate Assistant

  - CoreMedia

  - CUPS

  - DoveCot

  - fetchmail

  - file

  - FTP Server

  - Help Viewer

  - ImageIO

  - IOKit

  - IPSec

  - Kernel

  - Launch Services

  - libsecurity

  - libxml

 Login Window

  - OpenLDAP

  - QuickDraw Manager

QuickTime

  - Screen Sharing

  - Subversion

The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.2.

Mac OS X 10.6.2 contains security fixes for the following products :

  - Adaptive Firewall
  - Apache
  - Apache Portable Runtime
  - Certificate Assistant
  - CoreMedia
  - CUPS
  - Dovecot
  - fetchmail
  - file
  - FTP Server
  - Help Viewer
  - ImageIO
  - IOKit
  - IPSec
  - Kernel
  - Launch Services
  - libsecurity
  - libxml
  - Login Window
  - OpenLDAP
  - QuickDraw Manager
  - QuickTime
  - Screen Sharing
  - Subversion

The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2009-006 applied.

This security update contains fixes for the following products :

  - AFP Client
  - Adaptive Firewall
  - Apache
  - Apache Portable Runtime
  - ATS
  - Certificate Assistant
  - CoreGraphics
  - CUPS
  - Dictionary
  - DirectoryService
  - Disk Images
  - Event Monitor
  - fetchmail
  - FTP Server
  - Help Viewer
  - International Components for Unicode
  - IOKit
  - IPSec
  - libsecurity
  - libxml
  - OpenLDAP
  - OpenSSH
  - PHP
  - QuickDraw Manager
  - QuickLook
  - FreeRADIUS
  - Screen Sharing
  - Spotlight
  - Subversion

ID	Name	Product	Family	Severity
67961	Oracle Linux 5 : cups (ELSA-2009-1595)	Nessus	Oracle Linux Local Security Checks	high
67076	CentOS 5 : cups (CESA-2009:1595)	Nessus	CentOS Local Security Checks	medium
45530	Mandriva Linux Security Advisory : cups (MDVSA-2010:073-1)	Nessus	Mandriva Local Security Checks	medium
44798	Debian DSA-1933-1 : cups - missing input sanitising	Nessus	Debian Local Security Checks	medium
43107	openSUSE Security Update : cups (cups-1650)	Nessus	SuSE Local Security Checks	medium
42965	Fedora 10 : cups-1.3.11-2.fc10 (2009-11062)	Nessus	Fedora Local Security Checks	medium
42936	Fedora 12 : cups-1.4.2-7.fc12 (2009-11314)	Nessus	Fedora Local Security Checks	medium
42935	Fedora 11 : cups-1.4.2-7.fc11 (2009-10891)	Nessus	Fedora Local Security Checks	medium
42850	RHEL 5 : cups (RHSA-2009:1595)	Nessus	Red Hat Local Security Checks	medium
42473	SuSE 11 Security Update : CUPS (SAT Patch Number 1504)	Nessus	SuSE Local Security Checks	medium
42472	openSUSE Security Update : cups (cups-1506)	Nessus	SuSE Local Security Checks	medium
42471	openSUSE Security Update : cups (cups-1506)	Nessus	SuSE Local Security Checks	medium
5230	CUPS < 1.4.2 XSS	Nessus Network Monitor	Web Servers	medium
42468	CUPS < 1.4.2 kerberos Parameter XSS	Nessus	Misc.	medium
42466	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : cups, cupsys vulnerability (USN-856-1)	Nessus	Ubuntu Local Security Checks	medium
800795	Mac OS X 10.6 < 10.6.2 Multiple Vulnerabilities	Log Correlation Engine	Operating System Detection	high
5227	Mac OS X 10.6 < 10.6.2 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
42434	Mac OS X 10.6.x < 10.6.2 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
42433	Mac OS X Multiple Vulnerabilities (Security Update 2009-006)	Nessus	MacOS X Local Security Checks	critical

Detections

Analytics

CVE-2009-2820

medium

Tenable Plugins

high

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

high

critical

critical

critical