CUPS Subscription Incorrectly Uses Guest Account DoS Vulnerability Network Vulnerability

Summary

This host is running CUPS (Common UNIX Printing System) Service, which is prone to Denial of Service Vulnerability.

Impact

Successful exploitation causes Denial of Service condition. Impact Level: Application

Solution

Upgrade to CUPS Version 1.3.8 or later. http://www.cups.org/software.php

Insight

The flaw is due to error in web interface (cgi-bin/admin.c), which uses the guest username when a user is not logged on to the web server. This leads to CSRF attacks with the add/cancel RSS subscription functions.

Affected

CUPS Versions prior to 1.3.8 on Linux.

References

http://www.cups.org/str.php?L2774
http://www.gnucitizen.org/blog/pwning-ubuntu-via-cups/
http://www.openwall.com/lists/oss-security/2008/11/19/3

Updated on 2015-03-25

Severity

Classification

CVE CVE-2008-5183, CVE-2008-5184
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C

Related Vulnerabilities

Easy RM to MP3 Converter Buffer Overflow Vulnerability
Apache httpd Web Server Range Header Denial of Service Vulnerability
Aast! Antivirus 'aavmker4.sys' Denial Of Service Vulnerability (Win)
connect to all open ports
CUPS Multiple Vulnerabilities - Oct08

CUPS Subscription Incorrectly uses Guest Account DoS Vulnerability

Take action and discover your vulnerabilities