Software Engineering Institute

CWE-911: Improper Update of Reference Count - CVE-2015-1158

An issue with how localized strings are handled in cupsd allows a reference counter to over-decrement when handling certain print job request errors. As a result, an attacker can prematurely free an arbitrary string of global scope, creating a dangling pointer to a repurposed block of memory on the heap. The dangling pointer causes ACL verification to fail when parsing 'admin/conf' and 'admin' ACLs. The ACL handling failure results in unrestricted access to privileged operations, allowing an unauthenticated remote user to upload a replacement CUPS configuration file and mount further attacks.

This vulnerability was introduced in CUPS 1.2.0, released in 2006. All major versions of CUPS from 1.2 to 2.0 are vulnerable. This vulnerability is exploitable by default and without any special permissions other than the ability to send a print job request.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2015-1159

A cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web. In certain cases, the CGI template can echo user input to file rather than escaping the text first. This may be used to set up a reflected XSS attack in the QUERY parameter of the web interface help page. By default, many linux distributions run with the web interface activated; OS X has the web interface deactivated by default.

The CVSS score below is based on CVE-2015-1158.

CVE-2015-1158 may allow a remote unauthenticated attacker access to privileged operations on the CUPS server. CVE-2015-1159 may allow an attacker to execute arbitrary javascript in a user's browser.

Apply an update

A patch addressing these issues has been released for all supported versions of CUPS. For the version 2.0 branch (the latest release), 2.0.3 contains the patch. Affected users are encouraged to update as soon as possible.