The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3537.

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - cups: code execution via unescape ANSI escape sequences (CVE-2014-8166)

  - cups: incorrect string reference counting (VU#810572) (CVE-2015-1158)

  - The web interface for CUPS before 1.3.10 does not validate the HTTP Host header in a client request, which     makes it easier for remote attackers to conduct DNS rebinding attacks. (CVE-2009-0164)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

Updated cups packages fix security vulnerabilities :

Cross-site scripting (XSS) vulnerability in scheduler/client.c in Common Unix Printing System (CUPS) before 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the URL path, related to the is_path_absolute function (CVE-2014-2856).

In CUPS before 1.7.4, a local user with privileges of group=lp can write symbolic links in the rss directory and use that to gain '@SYSTEM' group privilege with cupsd (CVE-2014-3537).

It was discovered that the web interface in CUPS incorrectly validated permissions on rss files and directory index files. A local attacker could possibly use this issue to bypass file permissions and read arbitrary files, possibly leading to a privilege escalation (CVE-2014-5029, CVE-2014-5030, CVE-2014-5031).

A malformed file with an invalid page header and compressed raster data can trigger a buffer overflow in cupsRasterReadPixels (CVE-2014-9679).

It was discovered that the web interface in CUPS, the Common UNIX Printing System, incorrectly validated permissions on rss files and directory index files. A local attacker could possibly use this issue to bypass file permissions and read arbitrary files, possibly leading to a privilege escalation.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Revert change to whitelist /rss/ resources, as this was     not used upstream.

  - More STR #4461 fixes from upstream: make rss feeds     world-readable, but cachedir private.

  - Fix icon display in web interface during server restart     (STR #4475).

  - Fixes for upstream patch for STR #4461: allow /rss/     requests for files we created.

  - Use upstream patch for STR #4461.

  - Applied upstream patch to fix CVE-2014-5029 (bug     #1122600), CVE-2014-5030 (bug #1128764), CVE-2014-5031     (bug #1128767).

  - Fix conf/log file reading for authenticated users (STR     #4461).

  - Fix CGI handling (STR #4454, bug #1120419).

  - fix patch for CVE-2014-3537 (bug #1117794)

  - CVE-2014-2856: cross-site scripting flaw (bug #1117798)

  - CVE-2014-3537: insufficient checking leads to privilege     escalation (bug #1117794)

  - Removed package description changes.

  - Applied patch to fix 'Bad request' errors as a result of     adding in httpSetTimeout (STR #4440, also part of svn     revision 9967).

  - Fixed timeout issue with cupsd reading when there is no     data ready (bug #1110045).

  - Fixed synconclose patch to avoid 'too many arguments for     format' warning.

  - Fixed settimeout patch to include math.h for fmod     declaration.

  - Fixed typo preventing web interface from changing driver     (bug #1104483, STR #3601).

  - Fixed SyncOnClose patch (bug #984883).

  - Use upstream patch to avoid replaying GSS credentials     (bug #1040293).

  - Prevent BrowsePoll problems across suspend/resume (bug     #769292) :

  - Eliminate indefinite wait for response (svn revision     9688).

  - Backported httpSetTimeout API function from CUPS 1.5 and     use it in the ipp backend so that we wait indefinitely     until the printer responds, we get a hard error, or the     job is cancelled.

  - cups-polld: reconnect on error.

  - Added new SyncOnClose directive to use fsync after     altering configuration files: defaults to 'Yes'. Adjust     in cupsd.conf (bug #984883).

  - Fix cupsctl man page typo (bug #1011076).

  - Use more portable rpm specfile syntax for conditional     php building (bug #988598).

  - Fix SetEnv directive in cupsd.conf (bug #986495).

  - Fix 'collection' attribute sending (bug #978387).

  - Prevent format_log segfault (bug #971079).

  - Prevent stringpool corruption (bug #884851).

  - Don't crash when job queued for printer that times out     (bug #855431).

  - Upstream patch for broken multipart handling (bug     #852846).

  - Install /etc/cron.daily/cups with correct permissions     (bug #1012482).

  - Fixes for jobs with multiple files and multiple formats     (bug #972242).

  - Applied patch to fix CVE-2012-5519 (privilege escalation     for users in SystemGroup or with equivalent polkit     permission). This prevents HTTP PUT requests with paths     under /admin/conf/ other than that for cupsd.conf, and     also prevents such requests altering certain     configuration directives such as PageLog and FileDevice     (bug #875898).

Updated cups packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

CUPS provides a portable printing layer for Linux, UNIX, and similar operating systems.

A cross-site scripting (XSS) flaw was found in the CUPS web interface.
An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface. (CVE-2014-2856)

It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system. (CVE-2014-3537, CVE-2014-5029, CVE-2014-5030, CVE-2014-5031)

The CVE-2014-3537 issue was discovered by Francisco Alonso of Red Hat Product Security.

These updated cups packages also include several bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the References section, for information on the most significant of these changes.

All cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically.

A cross-site scripting (XSS) flaw was found in the CUPS web interface.
An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface. (CVE-2014-2856)

It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system. (CVE-2014-3537, CVE-2014-5029, CVE-2014-5030, CVE-2014-5031)

After installing this update, the cupsd daemon will be restarted automatically.

A cross-site scripting (XSS) flaw was found in the CUPS web interface.
An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface. (CVE-2014-2856)

It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system. (CVE-2014-3537 , CVE-2014-5029 , CVE-2014-5030 , CVE-2014-5031)

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2014-1388 advisory.

    - Applied upstream patch to fix CVE-2014-5029 (bug #1122600),       CVE-2014-5030 (bug #1128764), CVE-2014-5031 (bug #1128767).
    - fix patch for CVE-2014-3537 (bug #1117794)
    - CVE-2014-2856: cross-site scripting flaw (bug #1117798)
    - CVE-2014-3537: insufficient checking leads to privilege escalation (bug #1117794)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Upstream patches have been applied to prevent long-running Get-Jobs operations preventing other requests from being handled, and to fix the order of completed jobs in Get-Jobs responses. This update fixes a security flaw potentially leading to a disclosure of information.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2341-1 advisory.

    Salvatore Bonaccorso discovered that the CUPS web interface incorrectly validated permissions and     incorrectly handled symlinks. An attacker could possibly use this issue to bypass file permissions and     read arbitrary files, possibly leading to a privilege escalation.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update fixes various issues in CUPS.

  - Various insufficient symbolic link checking could have     lead to privilege escalation from the lp user to root.
    (CVE-2014-3537 / CVE-2014-5029 / CVE-2014-5030 /     CVE-2014-5031)

According to its banner, the version of CUPS installed on the remote host is 1.7.x prior to 1.7.5. It is, therefore, potentially affected by an information disclosure vulnerability that was incompletely corrected by the fix for CVE-2014-3537.

A flaw exists in the 'get_file' function within the file 'scheduler/client.c' regarding the handling of symlinks. This could allow a local attacker to cause normally protected files to be accessible via the web interface.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Updated cups packages fix security vulnerability :

In CUPS before 1.7.4, a local user with privileges of group=lp can write symbolic links in the rss directory and use that to gain '@SYSTEM' group privilege with cupsd (CVE-2014-3537).

It was discovered that the web interface in CUPS incorrectly validated permissions on rss files and directory index files. A local attacker could possibly use this issue to bypass file permissions and read arbitrary files, possibly leading to a privilege escalation (CVE-2014-5029, CVE-2014-5030, CVE-2014-5031).

This update fixes one security flaw as well as broken CGI script handling.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the web interface in CUPS, the Common UNIX Printing System, incorrectly validated permissions on rss files and directory index files. A local attacker could possibly use this issue to bypass file permissions and read arbitrary files, possibly leading to a privilege escalation.

ID	Name	Product	Family	Severity
198649	RHEL 5 : cups (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
82361	Mandriva Linux Security Advisory : cups (MDVSA-2015:108)	Nessus	Mandriva Local Security Checks	medium
82170	Debian DLA-22-1 : cups security update	Nessus	Debian Local Security Checks	medium
79550	OracleVM 3.3 : cups (OVMSA-2014-0035)	Nessus	OracleVM Local Security Checks	high
79177	CentOS 6 : cups (CESA-2014:1388)	Nessus	CentOS Local Security Checks	medium
78842	Scientific Linux Security Update : cups on SL6.x i386/x86_64 (20141014)	Nessus	Scientific Linux Local Security Checks	medium
78781	Amazon Linux AMI : cups (ALAS-2014-438)	Nessus	Amazon Linux Local Security Checks	medium
78522	Oracle Linux 6 : cups (ELSA-2014-1388)	Nessus	Oracle Linux Local Security Checks	medium
78405	RHEL 6 : cups (RHSA-2014:1388)	Nessus	Red Hat Local Security Checks	medium
78038	Fedora 19 : cups-1.6.4-10.fc19 (2014-9703)	Nessus	Fedora Local Security Checks	low
77569	Ubuntu 14.04 LTS : CUPS vulnerabilities (USN-2341-1)	Nessus	Ubuntu Local Security Checks	medium
77217	SuSE 11.3 Security Update : CUPS (SAT Patch Number 9561)	Nessus	SuSE Local Security Checks	medium
77149	CUPS 1.7.x < 1.7.5 'get_file' Function Symlink Handling Info Disclosure	Nessus	Misc.	medium
77039	Mandriva Linux Security Advisory : cups (MDVSA-2014:151)	Nessus	Mandriva Local Security Checks	medium
76921	Fedora 20 : cups-1.7.4-3.fc20 (2014-8752)	Nessus	Fedora Local Security Checks	medium
76857	Debian DSA-2990-1 : cups - security update	Nessus	Debian Local Security Checks	medium

Detections

Analytics

CVE-2014-5029

medium

Tenable Plugins

high

medium

medium

high

medium

medium

medium

medium

medium

low

medium

medium

medium

medium

medium

medium