ID CVE-2015-0839
Summary The hp-plugin utility in HP Linux Imaging and Printing (HPLIP) makes it easier for man-in-the-middle attackers to execute arbitrary code by leveraging use of a short GPG key id from a keyserver to verify print plugin downloads.
References
Vulnerable Configurations
  • cpe:2.3:a:hp:linux_imaging_and_printing:3.17.7
    cpe:2.3:a:hp:linux_imaging_and_printing:3.17.7
CVSS
Base: 6.8
Impact:
Exploitability:
CWE CWE-320
CAPEC
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2699-1.NASL
    description Enrico Zini discovered that HPLIP used a short GPG key ID when downloading keys from the keyserver. An attacker could possibly use this to return a different key with a duplicate short key id and perform a man-in-the-middle attack on printer plugin installations. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 85157
    published 2015-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85157
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : hplip vulnerability (USN-2699-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-11723.NASL
    description New upstream bug-fix release, which fixes CVE-2015-0839 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-01-30
    plugin id 85063
    published 2015-07-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85063
    title Fedora 22 : hplip-3.15.7-1.fc22 (2015-11723)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-775.NASL
    description CVE-2015-0839 The hplip plugin download function verifies the driver using a short-key. This is not secure because it is trivial to generate keys with arbitrary key IDs. For Debian 7 'Wheezy', these problems have been fixed in version 3.12.6-3.1+deb7u2. We recommend that you upgrade your hplip packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 96191
    published 2017-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96191
    title Debian DLA-775-1 : hplip security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-11916.NASL
    description fixes CVE-2015-0839 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-01-30
    plugin id 85095
    published 2015-07-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85095
    title Fedora 21 : hplip-3.14.10-9.fc21 (2015-11916)
refmap via4
bid 74913
confirm
fedora
  • FEDORA-2015-11723
  • FEDORA-2015-11916
mlist [oss-security] 20150529 [CVE-2015-0839] hp-plugin binary driver verification
ubuntu USN-2699-1
Last major update 02-08-2017 - 15:29
Published 02-08-2017 - 15:29
Last modified 25-08-2017 - 07:42
Back to Top