Bug 1096408 - (CVE-2018-4183) VUL-0: CVE-2018-4183: cups: cups-exec Sandbox Bypass Due to Profile Misconfiguration
(CVE-2018-4183)
VUL-0: CVE-2018-4183: cups: cups-exec Sandbox Bypass Due to Profile Misconfig...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Johannes Meixner
Security Team bot
https://smash.suse.de/issue/207579/
CVSSv3:SUSE:CVE-2018-4183:6.7:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-07 08:07 UTC by Andreas Stieger
Modified: 2020-06-15 17:31 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 14 Swamp Workflow Management 2018-07-27 12:51:58 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-08-10.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64094
Comment 17 Tony Yuan 2018-07-31 13:15:53 UTC
Could some tell how to allow a normal user to do printer admin tasks on sle15?

I tried method in #c12 and #c16. Both didn't work for me.
Comment 18 Johannes Meixner 2018-08-01 08:58:51 UTC
I do it as described in the section
"Allow printer admin tasks for a normal user" in
https://en.opensuse.org/SDB:CUPS_in_a_Nutshell

Excerpts of what I did as root
(the long '<Limit ...>' line is shown wrapped here):
-----------------------------------------------------------------------------
# systemctl stop cups.service

# vi /etc/cups/cupsd.conf

# diff -u /etc/cups/cupsd.conf.default /etc/cups/cupsd.conf
...
   # All administration operations require an administrator to authenticate...
   <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
     AuthType Default
-    Require user @SYSTEM
+    Require user @SYSTEM johannes
     Order deny,allow
   </Limit>

# systemctl start cups.service
-----------------------------------------------------------------------------
and afterwards as normal user 'johannes'
I can add/modify/delete a print queue:
-----------------------------------------------------------------------------
$ /usr/sbin/lpadmin -p testy -v file:/dev/null -E
Password for johannes on localhost?  ********

$ lpstat -p
printer testy is idle.  enabled since Wed 01 Aug 2018 10:48:52 AM CEST

$ /usr/sbin/lpadmin -p testy -P /usr/share/cups/model/Postscript.ppd.gz 
Password for johannes on localhost?  ********

$ lpstat -l -p testy | grep Interface
        Interface: /etc/cups/ppd/testy.ppd

$ /usr/sbin/lpadmin -x testy
Password for johannes on localhost?  ********

$ lpstat -p testy
lpstat: Invalid destination name in list "testy".
-----------------------------------------------------------------------------
Comment 19 Swamp Workflow Management 2018-08-01 16:12:05 UTC
SUSE-SU-2018:2162-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1050082,1061066,1087018,1096405,1096406,1096407,1096408
CVE References: CVE-2017-18248,CVE-2018-4180,CVE-2018-4181,CVE-2018-4182,CVE-2018-4183
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    cups-1.7.5-20.14.1
SUSE Linux Enterprise Server 12-SP3 (src):    cups-1.7.5-20.14.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    cups-1.7.5-20.14.1
Comment 20 Tony Yuan 2018-08-02 07:06:39 UTC
(In reply to Johannes Meixner from comment #18)
Thank you, Johannes

Do you know how to prevent it from asking password on sle15? It doesn't ask by default on sles12sp3.
Comment 21 Tony Yuan 2018-08-02 10:16:45 UTC
Hi Johannes,

It's cups-1.3.9-8.46.56.1 on sle11sp4. There is no dnssd backend. SetEnv does not seem to work either. The test case failed. Is SetEnv supported for cups-1.3.9?
Comment 22 Swamp Workflow Management 2018-08-02 16:09:17 UTC
SUSE-SU-2018:2172-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1096405,1096406,1096407,1096408
CVE References: CVE-2018-4180,CVE-2018-4181,CVE-2018-4182,CVE-2018-4183
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    cups-2.2.7-3.3.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    cups-2.2.7-3.3.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    cups-2.2.7-3.3.1
Comment 23 Johannes Meixner 2018-08-03 12:54:30 UTC
Tony Yuan,

regarding comment#20

I have basically no experience with all that kind of
"let normal users do what usually root should do"
set up things in CUPS so that I cannot provide you
authoritative answers, nevertheless:

I expect authentication dialogs because one contacts
the cupsd via IPP network protocol so that normally
the cupsd cannot know who the user is on the client
which is why the cupsd needs an authentication dialog.
The local user 'root' is special and does not get an
authentication dialogs because the local user 'root'
get automatically authenticated via the 'Local' method
by the /var/run/cups/certs/0 certificate that cupsd
creates anew each time it starts (at least on SLES15).

Regarding comment #21

On my SLES11 system with CUPS 1.3.9 "man cupsd.conf" shows
-------------------------------------------------------------
SetEnv variable value
  Set the specified environment variable
  to be passed to child processes.
-------------------------------------------------------------
which indicates SetEnv should be supported for CUPS 1.3.9
but I had never used or tested it before - I guess it is
https://github.com/apple/cups/issues/3664
Comment 24 Swamp Workflow Management 2018-08-07 16:08:18 UTC
SUSE-SU-2018:2233-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1096405,1096406,1096407,1096408
CVE References: CVE-2018-4180,CVE-2018-4181,CVE-2018-4182,CVE-2018-4183
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    cups-1.3.9-8.46.56.3.1
SUSE Linux Enterprise Server 11-SP4 (src):    cups-1.3.9-8.46.56.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    cups-1.3.9-8.46.56.3.1
Comment 25 Swamp Workflow Management 2018-08-07 19:09:49 UTC
openSUSE-SU-2018:2239-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1050082,1061066,1087018,1096405,1096406,1096407,1096408
CVE References: CVE-2017-18248,CVE-2018-4180,CVE-2018-4181,CVE-2018-4182,CVE-2018-4183
Sources used:
openSUSE Leap 42.3 (src):    cups-1.7.5-12.6.1
Comment 26 Swamp Workflow Management 2018-08-10 01:13:32 UTC
openSUSE-SU-2018:2292-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1096405,1096406,1096407,1096408
CVE References: CVE-2018-4180,CVE-2018-4181,CVE-2018-4182,CVE-2018-4183
Sources used:
openSUSE Leap 15.0 (src):    cups-2.2.7-lp150.2.3.1
Comment 27 Johannes Meixner 2019-07-01 16:03:13 UTC
.