Bug 1115750 – VUL-0: CVE-2018-4700: cups: session cookie is extremely predictable, effectively breaking the CSRF protection of the CUPS web interface

Bug 1115750 - (CVE-2018-4700) VUL-0: CVE-2018-4700: cups: session cookie is extremely predictable, effectively breaking the CSRF protection of the CUPS web interface

(CVE-2018-4700)
Summary:	VUL-0: CVE-2018-4700: cups: session cookie is extremely predictable, effectiv...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Johannes Meixner
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/219098/
Whiteboard:	CVSSv3:SUSE:CVE-2018-4700:7.5:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-11-13 10:18 UTC by Karol Babioch
Modified:	2019-04-04 08:12 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Karol Babioch 2018-11-13 10:18:11 UTC

Date: Mon, 12 Nov 2018 13:05:42 -0800 (PST)
From: "product-security@apple.com" <product-security@apple.com>
To: odyx@debian.org, till.kamppeter@gmail.com, jsmeix@suse.de,
    zdohnal@redhat.com, korobkin+op@gmail.com, cert@cert.org
Subject: Coordinated disclosure for CUPS security issue; Follow-up: 703576046

Hello,

We would like to inform you of a security issue in CUPS on Linux.

Issue:
==================================================

CUPS generates session cookies as follows in cgi_set_sid():

----------------------------------------
  if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
    remote_addr = "REMOTE_ADDR";
  if ((server_name = getenv("SERVER_NAME")) == NULL)
    server_name = "SERVER_NAME";
  if ((server_port = getenv("SERVER_PORT")) == NULL)
    server_port = "SERVER_PORT";

  CUPS_SRAND(time(NULL));
  snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
           remote_addr, server_name, server_port,
           (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,
           (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,
           (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,
           (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255);
       cupsHashData("md5", (unsigned char *)buffer, strlen(buffer), sum, sizeof(sum));

cgiSetCookie(CUPS_SID, cupsHashString(sum, sizeof(sum), sid, sizeof(sid)), "/", NULL, 0, 0);
----------------------------------------

Note the CUPS_SRAND(time(NULL)).
CUPS_SRAND() and CUPS_RAND() have four possible definitions, depending on the environment:

----------------------------------------
#ifdef HAVE_ARC4RANDOM
#  define CUPS_RAND() arc4random()
#  define CUPS_SRAND(v)
#elif defined(HAVE_RANDOM)
#  define CUPS_RAND() random()
#  define CUPS_SRAND(v) srandom(v)
#elif defined(HAVE_LRAND48)
#  define CUPS_RAND() lrand48()
#  define CUPS_SRAND(v) srand48(v)
#else
#  define CUPS_RAND() rand()
#  define CUPS_SRAND(v) srand(v)
#endif /* HAVE_ARC4RANDOM */
----------------------------------------

On a typical Linux system, HAVE_ARC4RANDOM is not defined, but HAVE_RANDOM is defined; so CUPS_RAND() is random(), and CUPS_SRAND() is srandom().

This means that the session cookie is extremely predictable, effectively breaking the CSRF protection of the CUPS web interface.

Luckily, this isn't very useful unless the user has already authenticated to CUPS; and because CUPS uses HTTP basic auth for authentication, an attacker can't forcibly sign the user in (e.g. Chrome forbids it completely, Firefox shows a confirmation prompt).

==================================================


Patch:
==================================================
Attached: cups-session-id.patch

diff --git a/cgi-bin/var.c b/cgi-bin/var.c
index 649b65ba..579f23ba 100644
--- a/cgi-bin/var.c
+++ b/cgi-bin/var.c
@@ -1207,6 +1207,7 @@ cgi_set_sid(void)
   const char        *remote_addr,    /* REMOTE_ADDR */
             *server_name,    /* SERVER_NAME */
             *server_port;    /* SERVER_PORT */
+  struct timeval    curtime;    /* Current time */


   if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
@@ -1216,7 +1217,8 @@ cgi_set_sid(void)
   if ((server_port = getenv("SERVER_PORT")) == NULL)
     server_port = "SERVER_PORT";

-  CUPS_SRAND(time(NULL));
+  gettimeofday(&curtime, NULL);
+  CUPS_SRAND(curtime.tv_sec + curtime.tv_usec);
   snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
            remote_addr, server_name, server_port,
        (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,
==================================================


Proposed embargo date, CVE, and credit information:
==================================================
Please use CVE-2018-4700 for this issue and reference the credit as "Jann Horn of Google Project Zero". Since this issue does not affect macOS, Apple will not be publishing a security advisory for this issue.

This issue should remain embargoed until Friday, December 7th, 2018. If there are any problems with this date, please let us know.
==================================================

Best regards,
Deven
Apple Product Security

cups-session-id.patch

diff --git a/cgi-bin/var.c b/cgi-bin/var.c
index 649b65ba..579f23ba 100644
--- a/cgi-bin/var.c
+++ b/cgi-bin/var.c
@@ -1207,6 +1207,7 @@ cgi_set_sid(void)
   const char		*remote_addr,	/* REMOTE_ADDR */
 			*server_name,	/* SERVER_NAME */
 			*server_port;	/* SERVER_PORT */
+  struct timeval	curtime;	/* Current time */


   if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
@@ -1216,7 +1217,8 @@ cgi_set_sid(void)
   if ((server_port = getenv("SERVER_PORT")) == NULL)
     server_port = "SERVER_PORT";

-  CUPS_SRAND(time(NULL));
+  gettimeofday(&curtime, NULL);
+  CUPS_SRAND(curtime.tv_sec + curtime.tv_usec);
   snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
            remote_addr, server_name, server_port,
 	   (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,

Comment 2 Karol Babioch 2018-11-13 10:20:15 UTC

We need to check which version of random is used in our products/codestreams.

Comment 3 Robert Frohl 2018-11-23 14:37:48 UTC

SLE12 and SLE15 build chroot - config.h:
/*
 * Which random number generator function to use...
 */

/* #undef HAVE_ARC4RANDOM */
#define HAVE_RANDOM 1
#define HAVE_LRAND48 1

Meaning that SLE12 and SLE15 are probably affected.

Comment 4 Robert Frohl 2018-11-23 14:55:03 UTC

SLE-10-SP3 and SLE-11 seem to be not affected.

Comment 8 Marcus Meissner 2018-12-10 07:04:25 UTC

is public

https://github.com/apple/cups/commit/b9ff93ce913ff633a3f667317e5a81fa7fe0d5d3

Comment 9 Marcus Meissner 2018-12-10 07:04:49 UTC

https://github.com/apple/cups/releases/tag/v2.3b6

Comment 10 Swamp Workflow Management 2018-12-10 11:12:32 UTC

SUSE-SU-2018:4059-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1115750
CVE References: CVE-2018-4700
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    cups-2.2.7-3.6.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    cups-2.2.7-3.6.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    cups-2.2.7-3.6.1

Comment 11 Swamp Workflow Management 2018-12-12 20:10:20 UTC

SUSE-SU-2018:4089-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1115750
CVE References: CVE-2018-4700
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    cups-1.7.5-20.20.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    cups-1.7.5-20.20.1
SUSE Linux Enterprise Server 12-SP4 (src):    cups-1.7.5-20.20.1
SUSE Linux Enterprise Server 12-SP3 (src):    cups-1.7.5-20.20.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    cups-1.7.5-20.20.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    cups-1.7.5-20.20.1

Comment 12 Swamp Workflow Management 2018-12-13 02:14:52 UTC

openSUSE-SU-2018:4105-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1115750
CVE References: CVE-2018-4700
Sources used:
openSUSE Leap 15.0 (src):    cups-2.2.7-lp150.2.6.1

Comment 13 Swamp Workflow Management 2018-12-15 11:15:59 UTC

openSUSE-SU-2018:4141-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1115750
CVE References: CVE-2018-4700
Sources used:
openSUSE Leap 42.3 (src):    cups-1.7.5-12.9.1

Comment 14 Marcus Meissner 2019-04-04 08:12:54 UTC

This was released