Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1250
  • Last Modified:

cups-lpd/cups security vulnerability (chkconfig --list | grep cups ==> equivalent to lpd in Solaris/HPUX?)

CUPS security vulnerability - how to determine if Unix servers are affectedQuestion: Hi,

!)
I received following security note from our security team.  Apreciate if someone
can give me the specific command to determine if I'm affected.  Is it 'cups' or
'cups-lpd'  that this vulnerability(see below)  is referring to
In Linux  "chkconfig --list | grep -i cups"   listed 2 services :
cups-lpd  &  cups

2)
what's the Tcp/Udp port cups & cups-lpd uses?

3)
Is this vulnerability applicable to Solaris & HP-UX's   lp or print services?

4)
I suppose to disable them, it's just
"chkconfig cups off" &
"chkconfig cups-lpd off"
If the Linux box is rebooted, will this continue to be
disabled or it will revert back to "on" again.


Security notification I received is as follows :

[Summary]
Some vulnerabilities have been reported in CUPS (Common UNIX Printing System), which potentially can be exploited by malicious people to execute arbitrary code on the target system.

1) Two boundary errors exist in the implementation of the HP-GL/2 filter. These can be exploited to cause buffer overflows via HP-GL/2 files containing overly large pen numbers.

2) A boundary error exists within the "read_rle16()" function when processing SGI (Silicon Graphics Image) files. This can be exploited to cause a heap-based buffer overflow via a specially crafted SGI file.

3) An integer overflow error exists within the "WriteProlog()" function included in the "texttops" utility. This can be exploited to cause a heap-based buffer overflow via a specially crafted file.

[Solution/Workaround]
Update to version 1.3.9.

[Affected System]
Operating Systems running CUPS version prior to 1.3.9.

[Reference]
http://cups.org/articles.php?L575
http://www.cups.org/str.php?L2911
http://www.cups.org/str.php?L2918
http://www.cups.org/str.php?L2919
http://secunia.com/advisories/32226/
0
sunhux
Asked:
sunhux
3 Solutions
 
ahoffmannCommented:
> .. command to determine if I'm affected ..
  su root -c "ps ax"|grep -i cups
  su root -c "ps -el"|grep -i cups
  su root -c 'grep -i cups /etc/{x,}inetd.conf /etc/xinetd.d/*'
if any of the commands reports something you're probably affected.

2) cups does not use a specific port usually, may be 631
4) this will disable cups after reboot (if your systemsupports chkconfig
0
 
ckhsu1977Commented:
what version of cups does the system have?
0
 
gheistCommented:
!) who cares -automatic scanners do fail
2) as a client or as a server? basically 631 for management webserver and IPP and anything thats used by LPD and Smaba if they are in use
3) No. But they have their own vulnerabilities.
4) do /etc/init.d/cups stop
and see which of other services launches CUPS. I suspect Samba

To fix:
You should list packages
rpm -q cups

And update them via normal means:
yum update
or
zypper up
or smth like that (depends on system)

If you had CUPS 1.2.x then config files changed from to XML and you should redo all configuration.

Workarounds & other thoughts:
1) HP-GL2 filter is used for HP plotters, so you are vulnerable if you have one (in this case I assume you already use Windows driver that produces HP-GL2 and cups filtering is not used, so you can use nothing for plotter filter)
2) Actually SGI RLE compressed bitmaps are produced only by IRIX (and by malicious users)
3) You can use a2ps (very old tool) to replace texttops, if you actually do print text files like from windows with Generic/Text driver

0
 
sunhuxAuthor Commented:
Thanks, I found it's only our Linux boxes have them enabled
(chkconfig --list | grep -i cup) while the Solaris & HP-UX don't.

Since we don't need cups, I've done "chkconfig --level 012345 cups... off"
0
 
gheistCommented:
You can uninstall cups afterwards. Or update. Or at least look into updating packages. And examine startup packages - I dont think you need numlock and acon running for instance...
 HP-UX and Solaris does not use cups, they use their own LPD that can be complemeted with extra drivers and IPP support by adding CUPS.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now