CUPS disclose passwords in log files
| cups-password-disclosure (17593) |  Medium Risk |
Description:
The Common Unix Printing System (CUPS) could allow a local attacker to obtain sensitive information, when specific methods of authenticated remote printing are performed. A local attacker could obtain log files that contain user passwords.
Consequences:
Obtain Information
Remedy:
Upgrade to the latest version of CUPS (1.1.22rc1 or later), available from the CUPS Web site. See References.
Apply Security Update 2004-09-30, available from the AppleCare Knowledge Base Document 61798. See References.
For Debian GNU/Linux 3.0 (alias woody):
Upgrade to the latest cupsys package (1.1.14-5woody7 or later), as listed in DSA-566-1. See References.
For Red Hat Linux:
Upgrade to the latest cups package, as listed below. Refer to RHSA-2004:543-15 for more information. See References.
Red Hat Enterprise Linux AS (v. 3), ES (v. 3), WS (v. 3), Desktop: 1.1.17-13.3.16.x86_64 or later
For Mandrake Linux:
Upgrade to the latest cups package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2004:116 for more information. See References.
Mandrake Linux 9.2: 1.1.19-10.3.92mdk or later
Mandrake Linux Multi Network Firewall 8.2: 1.1.18-2.3.M82mdk or later
Mandrake Linux Corporate Server 2.1: 1.1.18-2.5.C21mdk or later
Mandrake Linux 10.0: 1.1.20-5.3.100mdk or later
For other distributions:
Contact your vendor for upgrade or patch information.
References:
- AppleCare Knowledge Base Document 61798: Apple Security Update 2004-09-30.
- CIAC Information Bulletin P-002: Apple Security Update.
- CIAC Information Bulletin P-014: CUPS Information Leak.
- CIAC Information Bulletin P-019: Red Hat Updated CUPS Packages Fix Security Issues.
- CUPS Web site: Common UNIX Printing System.
- BID-11324: CUPS Error_Log Local Password Disclosure Vulnerability
- CVE-2004-0923: CUPS 1.1.20 and earlier records authentication information for a device URI in the error_log file, which allows local users to obtain user names and passwords.
- DSA-566: cupsys -- unsanitised input
- GLSA-200410-06: CUPS: Leakage of sensitive information
- MDKSA-2004:116: Updated cups packages fix DoS vulnerabilities
- RHSA-2004-543: cups security update
- US-CERT VU#557062: CUPS stores user account details in plain text in log file
Platforms Affected:
- Apple Mac OS X 10.2.8
- Apple Mac OS X 10.3.5
- Apple Mac OS X Server 10.2.8
- Apple Mac OS X Server 10.3.5
- Debian Debian Linux 3.0
- Gentoo Linux
- MandrakeSoft Mandrake Linux 10.0 AMD64
- MandrakeSoft Mandrake Linux 10.0
- MandrakeSoft Mandrake Linux 10.1
- MandrakeSoft Mandrake Linux 10.1 X86_64
- MandrakeSoft Mandrake Linux 8.2
- MandrakeSoft Mandrake Linux 9.2 AMD64
- MandrakeSoft Mandrake Linux 9.2
- MandrakeSoft Mandrake Linux Corporate Server 2.1
- MandrakeSoft Mandrake Linux Corporate Server 2.1 X86_64
- MandrakeSoft Mandrake Multi Network Firewall 8.2
- RedHat Enterprise Linux 3 AS
- RedHat Enterprise Linux 3 Desktop
- RedHat Enterprise Linux 3 ES
- RedHat Enterprise Linux 3 WS
Reported:
Oct 05, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net