Solved

cups-lpd/cups security vulnerability (chkconfig --list | grep cups ==> equivalent to lpd in Solaris/HPUX?)

Posted on 2008-10-14
5
1,211 Views
Last Modified: 2012-05-05
CUPS security vulnerability - how to determine if Unix servers are affectedQuestion: Hi,

!)
I received following security note from our security team.  Apreciate if someone
can give me the specific command to determine if I'm affected.  Is it 'cups' or
'cups-lpd'  that this vulnerability(see below)  is referring to
In Linux  "chkconfig --list | grep -i cups"   listed 2 services :
cups-lpd  &  cups

2)
what's the Tcp/Udp port cups & cups-lpd uses?

3)
Is this vulnerability applicable to Solaris & HP-UX's   lp or print services?

4)
I suppose to disable them, it's just
"chkconfig cups off" &
"chkconfig cups-lpd off"
If the Linux box is rebooted, will this continue to be
disabled or it will revert back to "on" again.


Security notification I received is as follows :

[Summary]
Some vulnerabilities have been reported in CUPS (Common UNIX Printing System), which potentially can be exploited by malicious people to execute arbitrary code on the target system.

1) Two boundary errors exist in the implementation of the HP-GL/2 filter. These can be exploited to cause buffer overflows via HP-GL/2 files containing overly large pen numbers.

2) A boundary error exists within the "read_rle16()" function when processing SGI (Silicon Graphics Image) files. This can be exploited to cause a heap-based buffer overflow via a specially crafted SGI file.

3) An integer overflow error exists within the "WriteProlog()" function included in the "texttops" utility. This can be exploited to cause a heap-based buffer overflow via a specially crafted file.

[Solution/Workaround]
Update to version 1.3.9.

[Affected System]
Operating Systems running CUPS version prior to 1.3.9.

[Reference]
http://cups.org/articles.php?L575
http://www.cups.org/str.php?L2911
http://www.cups.org/str.php?L2918
http://www.cups.org/str.php?L2919
http://secunia.com/advisories/32226/
0
Comment
Question by:sunhux
5 Comments
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 150 total points
ID: 22716288
> .. command to determine if I'm affected ..
  su root -c "ps ax"|grep -i cups
  su root -c "ps -el"|grep -i cups
  su root -c 'grep -i cups /etc/{x,}inetd.conf /etc/xinetd.d/*'
if any of the commands reports something you're probably affected.

2) cups does not use a specific port usually, may be 631
4) this will disable cups after reboot (if your systemsupports chkconfig
0
 
LVL 3

Assisted Solution

by:ckhsu1977
ckhsu1977 earned 20 total points
ID: 22716336
what version of cups does the system have?
0
 
LVL 61

Accepted Solution

by:
gheist earned 330 total points
ID: 22726738
!) who cares -automatic scanners do fail
2) as a client or as a server? basically 631 for management webserver and IPP and anything thats used by LPD and Smaba if they are in use
3) No. But they have their own vulnerabilities.
4) do /etc/init.d/cups stop
and see which of other services launches CUPS. I suspect Samba

To fix:
You should list packages
rpm -q cups

And update them via normal means:
yum update
or
zypper up
or smth like that (depends on system)

If you had CUPS 1.2.x then config files changed from to XML and you should redo all configuration.

Workarounds & other thoughts:
1) HP-GL2 filter is used for HP plotters, so you are vulnerable if you have one (in this case I assume you already use Windows driver that produces HP-GL2 and cups filtering is not used, so you can use nothing for plotter filter)
2) Actually SGI RLE compressed bitmaps are produced only by IRIX (and by malicious users)
3) You can use a2ps (very old tool) to replace texttops, if you actually do print text files like from windows with Generic/Text driver

0
 

Author Comment

by:sunhux
ID: 22756506
Thanks, I found it's only our Linux boxes have them enabled
(chkconfig --list | grep -i cup) while the Solaris & HP-UX don't.

Since we don't need cups, I've done "chkconfig --level 012345 cups... off"
0
 
LVL 61

Expert Comment

by:gheist
ID: 22757608
You can uninstall cups afterwards. Or update. Or at least look into updating packages. And examine startup packages - I dont think you need numlock and acon running for instance...
 HP-UX and Solaris does not use cups, they use their own LPD that can be complemeted with extra drivers and IPP support by adding CUPS.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now