Amazon Linux AMI update for cups

Published: 2015-07-07

Risk	High
Patch available	YES
Number of vulnerabilities	3
CVE-ID	CVE-2014-9679 CVE-2015-1158 CVE-2015-1159
CWE-ID	CWE-119 CWE-254 CWE-79
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #2 is available.
Vulnerable software	Amazon Linux AMI Operating systems & Components / Operating system
Vendor	Amazon Web Services

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Buffer overflow

EUVDB-ID: #VU32436

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-9679

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Integer underflow in the cupsRasterReadPixels function in filter/raster.c in CUPS before 2.0.2 allows remote attackers to have unspecified impact via a malformed compressed raster file, which triggers a buffer overflow.

Mitigation

Update the affected packages:

i686:
    cups-debuginfo-1.4.2-67.21.amzn1.i686
    cups-libs-1.4.2-67.21.amzn1.i686
    cups-php-1.4.2-67.21.amzn1.i686
    cups-devel-1.4.2-67.21.amzn1.i686
    cups-1.4.2-67.21.amzn1.i686
    cups-lpd-1.4.2-67.21.amzn1.i686

src:
    cups-1.4.2-67.21.amzn1.src

x86_64:
    cups-debuginfo-1.4.2-67.21.amzn1.x86_64
    cups-php-1.4.2-67.21.amzn1.x86_64
    cups-libs-1.4.2-67.21.amzn1.x86_64
    cups-devel-1.4.2-67.21.amzn1.x86_64
    cups-1.4.2-67.21.amzn1.x86_64
    cups-lpd-1.4.2-67.21.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2015-559.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Security Features

EUVDB-ID: #VU32416

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2015-1158

CWE-ID: CWE-254 - Security Features

Exploit availability: Yes

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.

Mitigation

Update the affected packages:

i686:
    cups-debuginfo-1.4.2-67.21.amzn1.i686
    cups-libs-1.4.2-67.21.amzn1.i686
    cups-php-1.4.2-67.21.amzn1.i686
    cups-devel-1.4.2-67.21.amzn1.i686
    cups-1.4.2-67.21.amzn1.i686
    cups-lpd-1.4.2-67.21.amzn1.i686

src:
    cups-1.4.2-67.21.amzn1.src

x86_64:
    cups-debuginfo-1.4.2-67.21.amzn1.x86_64
    cups-php-1.4.2-67.21.amzn1.x86_64
    cups-libs-1.4.2-67.21.amzn1.x86_64
    cups-devel-1.4.2-67.21.amzn1.x86_64
    cups-1.4.2-67.21.amzn1.x86_64
    cups-lpd-1.4.2-67.21.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2015-559.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Cross-site scripting

EUVDB-ID: #VU32417

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-1159

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 when processing QUERY parameter to help/. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update the affected packages:

i686:
    cups-debuginfo-1.4.2-67.21.amzn1.i686
    cups-libs-1.4.2-67.21.amzn1.i686
    cups-php-1.4.2-67.21.amzn1.i686
    cups-devel-1.4.2-67.21.amzn1.i686
    cups-1.4.2-67.21.amzn1.i686
    cups-lpd-1.4.2-67.21.amzn1.i686

src:
    cups-1.4.2-67.21.amzn1.src

x86_64:
    cups-debuginfo-1.4.2-67.21.amzn1.x86_64
    cups-php-1.4.2-67.21.amzn1.x86_64
    cups-libs-1.4.2-67.21.amzn1.x86_64
    cups-devel-1.4.2-67.21.amzn1.x86_64
    cups-1.4.2-67.21.amzn1.x86_64
    cups-lpd-1.4.2-67.21.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2015-559.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.