#VU32416 Security Features in CUPS - CVE-2015-1158


| Updated: 2020-07-29

Vulnerability identifier: #VU32416

Vulnerability risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2015-1158

CWE-ID: CWE-254

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
CUPS
Server applications / Other server solutions

Vendor: Apple Inc.

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.

Mitigation
Install update from vendor's website.

Vulnerable software versions

CUPS: 2.0.0 - 2.0.2

External links
https://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.html
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702
https://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.html
https://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.html
https://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html
https://rhn.redhat.com/errata/RHSA-2015-1123.html
https://www.cups.org/blog.php?L1082
https://www.debian.org/security/2015/dsa-3283
https://www.kb.cert.org/vuls/id/810572
https://www.securityfocus.com/bid/75098
https://www.securitytracker.com/id/1032556
https://www.ubuntu.com/usn/USN-2629-1
https://bugzilla.opensuse.org/show_bug.cgi?id=924208
https://bugzilla.redhat.com/show_bug.cgi?id=1221641
https://code.google.com/p/google-security-research/issues/detail?id=455
https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py
https://security.gentoo.org/glsa/201510-07
https://www.cups.org/str.php?L4609
https://www.exploit-db.com/exploits/37336/
https://www.exploit-db.com/exploits/41233/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Gentoo update for CUPS
Slackware Linux update for cups
Amazon Linux AMI update for cups
Security Features in Apple CUPS
Security Features in cups (Alpine package)
SUSE Linux update for cups
Fedora 21 update for cups
Fedora 22 update for cups