ID CVE-2015-1158
Summary The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.
References
Vulnerable Configurations
  • cpe:2.3:a:cups:cups:2.0.2
    cpe:2.3:a:cups:cups:2.0.2
CVSS
Base: 10.0 (as of 26-06-2015 - 10:35)
Impact:
Exploitability:
CWE CWE-254
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description CUPS < 2.0.3 - Remote Command Execution. CVE-2015-1158. Remote exploit for Linux platform
    file exploits/linux/remote/41233.py
    id EDB-ID:41233
    last seen 2017-02-03
    modified 2017-02-03
    platform linux
    port
    published 2017-02-03
    reporter Exploit-DB
    source https://www.exploit-db.com/download/41233/
    title CUPS < 2.0.3 - Remote Command Execution
    type remote
  • description CUPS < 2.0.3 - Multiple Vulnerabilities. CVE-2015-1158. Remote exploits for multiple platform
    file exploits/multiple/remote/37336.txt
    id EDB-ID:37336
    last seen 2016-02-04
    modified 2015-06-22
    platform multiple
    port
    published 2015-06-22
    reporter Google Security Research
    source https://www.exploit-db.com/download/37336/
    title CUPS < 2.0.3 - Multiple Vulnerabilities
    type remote
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-418.NASL
    description This update fixes the following issues : - CVE-2015-1158 and CVE-2015-1159 fixes a possible privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on server (CUPS STR#4609 CERT-VU-810572 CVE-2015-1158 CVE-2015-1159 bugzilla.suse.com bsc#924208). In general it is crucial to limit access to CUPS to trustworthy users who do not misuse their permission to submit print jobs which means to upload arbitrary data onto the CUPS server, see https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_setti ngs and cf. the entries about CVE-2012-5519 below.
    last seen 2019-02-21
    modified 2015-06-29
    plugin id 84184
    published 2015-06-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84184
    title openSUSE Security Update : cups (openSUSE-2015-418)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_A40EC9700EFA11E590E4D050996490D0.NASL
    description CUPS development team reports : The new release addresses two security vulnerabilities, add localizations for German and Russian, and includes several general bug fixes. Changes include : Security: Fixed CERT VU #810572/CVE-2015-1158/CVE-2015-1159 exploiting the dynamic linker (STR #4609) Security: The scheduler could hang with malformed gzip data (STR #4602)
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 84070
    published 2015-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84070
    title FreeBSD : cups -- multiple vulnerabilities (a40ec970-0efa-11e5-90e4-d050996490d0)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-1123.NASL
    description Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. CUPS provides a portable printing layer for Linux, UNIX, and similar operating systems. A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158) A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159) An integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash. (CVE-2014-9679) Red Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and CVE-2015-1159 issues. All cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84258
    published 2015-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84258
    title RHEL 6 / 7 : cups (RHSA-2015:1123)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0071.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2015-1158, CVE-2015-1159, CVE-2014-9679 (bug #1229982).
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 84257
    published 2015-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84257
    title OracleVM 3.3 : cups (OVMSA-2015-0071)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201510-07.NASL
    description The remote host is affected by the vulnerability described in GLSA-201510-07 (CUPS: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in cups. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2015-11-02
    plugin id 86692
    published 2015-11-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86692
    title GLSA-201510-07 : CUPS: Multiple vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-9726.NASL
    description New upstream bug-fix release. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 84310
    published 2015-06-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84310
    title Fedora 22 : cups-2.0.3-1.fc22 (2015-9726)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1044-1.NASL
    description The following issues are fixed by this update : - CVE-2012-5519: privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on server (bsc#924208). - CVE-2015-1158: Improper Update of Reference Count - CVE-2015-1159: Cross-Site Scripting Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-06
    plugin id 119965
    published 2019-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119965
    title SUSE SLES12 Security Update : cups154 (SUSE-SU-2015:1044-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1041-1.NASL
    description The following issues are fixed by this update : - CVE-2012-5519: privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on server (bsc#924208). - CVE-2015-1158: Improper Update of Reference Count - CVE-2015-1159: Cross-Site Scripting Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 84145
    published 2015-06-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84145
    title SUSE SLED12 / SLES12 Security Update : cups (SUSE-SU-2015:1041-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20150617_CUPS_ON_SL6_X.NASL
    description A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158) A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159) An integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash. (CVE-2014-9679) After installing this update, the cupsd daemon will be restarted automatically.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 84259
    published 2015-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84259
    title Scientific Linux Security Update : cups on SL6.x, SL7.x i386/x86_64
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2015-188-01.NASL
    description New cups packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 84588
    published 2015-07-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84588
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : cups (SSA:2015-188-01)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2629-1.NASL
    description It was discovered that CUPS incorrectly handled reference counting when handling localized strings. A remote attacker could use this issue to escalate permissions, upload a replacement CUPS configuration file, and execute arbitrary code. (CVE-2015-1158) It was discovered that the CUPS templating engine contained a cross-site scripting issue. A remote attacker could use this issue to bypass default configuration settings. (CVE-2015-1159). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 84117
    published 2015-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84117
    title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : cups vulnerabilities (USN-2629-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-239.NASL
    description Two critical vulnerabilities have been found in the CUPS printing system : CVE-2015-1158 - Improper Update of Reference Count Cupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd over-decrements the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. They can use this to dismantle ACL’s protecting privileged operations, and upload a replacement configuration file, and subsequently run arbitrary code on a target machine. This bug is exploitable in default configurations, and does not require any special permissions other than the basic ability to print. CVE-2015-1159 - Cross-Site Scripting A cross-site scripting bug in the CUPS templating engine allows the above bug to be exploited when a user browses the web. This XSS is reachable in the default configuration for Linux instances of CUPS, and allows an attacker to bypass default configuration settings that bind the CUPS scheduler to the ‘localhost’ or loopback interface. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 84061
    published 2015-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84061
    title Debian DLA-239-1 : cups security update
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3283.NASL
    description It was discovered that CUPS, the Common UNIX Printing System, is vulnerable to a remotely triggerable privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on the CUPS server.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84063
    published 2015-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84063
    title Debian DSA-3283-1 : cups - security update
  • NASL family Misc.
    NASL id CUPS_2_0_3.NASL
    description According to its banner, the CUPS printer service running on the remote host is a version prior to 2.0.3. It is, therefore, potentially affected by the following vulnerabilities : - A privilege escalation vulnerability exists due to a flaw in cupsd when handling printer job request errors. An unauthenticated, remote attacker can exploit this, with a specially crafted request, to prematurely free an arbitrary string of global scope, creating a dangling pointer to a repurposed block of memory on the heap, resulting ACL verification to fail when parsing 'admin/conf' and 'admin' ACLs. This allows an attacker to upload a replacement CUPS configuration file. (CVE-2015-1158) - A cross-site scripting vulnerability exists due to improper sanitization of user-supplied input to the 'QUERY' parameter of the help page. This allows a remote attacker, with a specially crafted request, to execute arbitrary script code. (CVE-2015-1159) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 84149
    published 2015-06-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84149
    title CUPS < 2.0.3 Multiple Vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-1123.NASL
    description Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. CUPS provides a portable printing layer for Linux, UNIX, and similar operating systems. A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158) A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159) An integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash. (CVE-2014-9679) Red Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and CVE-2015-1159 issues. All cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84276
    published 2015-06-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84276
    title CentOS 6 / 7 : cups (CESA-2015:1123)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-559.NASL
    description A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158) A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159) An integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash. (CVE-2014-9679)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 84595
    published 2015-07-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84595
    title Amazon Linux AMI : cups (ALAS-2015-559)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-9801.NASL
    description This update fixed 2 security flaws. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 84311
    published 2015-06-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84311
    title Fedora 21 : cups-1.7.5-17.fc21 (2015-9801)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1044-2.NASL
    description The following issues are fixed by this update : - CVE-2012-5519: privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on server (bsc#924208). - CVE-2015-1158: Improper Update of Reference Count - CVE-2015-1159: Cross-Site Scripting Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-06
    plugin id 119966
    published 2019-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119966
    title SUSE SLES12 Security Update : cups154 (SUSE-SU-2015:1044-2)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-1123.NASL
    description From Red Hat Security Advisory 2015:1123 : Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. CUPS provides a portable printing layer for Linux, UNIX, and similar operating systems. A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158) A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159) An integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash. (CVE-2014-9679) Red Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and CVE-2015-1159 issues. All cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 84256
    published 2015-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84256
    title Oracle Linux 6 / 7 : cups (ELSA-2015-1123)
packetstorm via4
redhat via4
advisories
rhsa
id RHSA-2015:1123
rpms
  • cups-1:1.4.2-67.el6_6.1
  • cups-devel-1:1.4.2-67.el6_6.1
  • cups-libs-1:1.4.2-67.el6_6.1
  • cups-lpd-1:1.4.2-67.el6_6.1
  • cups-php-1:1.4.2-67.el6_6.1
  • cups-1:1.6.3-17.el7_1.1
  • cups-client-1:1.6.3-17.el7_1.1
  • cups-devel-1:1.6.3-17.el7_1.1
  • cups-filesystem-1:1.6.3-17.el7_1.1
  • cups-ipptool-1:1.6.3-17.el7_1.1
  • cups-libs-1:1.6.3-17.el7_1.1
  • cups-lpd-1:1.6.3-17.el7_1.1
refmap via4
bid 75098
cert-vn VU#810572
confirm
debian DSA-3283
exploit-db
  • 37336
  • 41233
gentoo GLSA-201510-07
misc
sectrack 1032556
suse
  • SUSE-SU-2015:1041
  • SUSE-SU-2015:1044
  • openSUSE-SU-2015:1056
ubuntu USN-2629-1
Last major update 23-02-2017 - 21:59
Published 26-06-2015 - 06:59
Last modified 22-09-2017 - 21:29
Back to Top