CVE-2014-2707
published 2014-04-17CVE-2014-2707: cups-browsed in cups-filters 1.0.41 before 1.0.51 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the (1) model or (2)…
PriorityP344high8.3CVSS 2.0
AVAACLAuNCCICAC
EPSS
1.17%
63.6th percentile
cups-browsed in cups-filters 1.0.41 before 1.0.51 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the (1) model or (2) PDL, related to "System V interface scripts generated for queues."
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | cups-filters | < cups-filters 1.0.53-1 (bookworm) | cups-filters 1.0.53-1 (bookworm) |
| debian | cups-filters | < cups-filters 1.0.51-1 (bookworm) | cups-filters 1.0.51-1 (bookworm) |
| debian | cups-filters | < cups-filters 1.0.61-5 (bookworm) | cups-filters 1.0.61-5 (bookworm) |
| linuxfoundation | cups-filters | <= 1.0.65 | — |
| linuxfoundation | cups-filters | <= 1.0.52 | — |
| linuxfoundation | cups-filters | — | — |
| linuxfoundation | cups-filters | — | — |
| linuxfoundation | cups-filters | — | — |
| linuxfoundation | cups-filters | — | — |
| linuxfoundation | cups-filters | — | — |
| linuxfoundation | cups-filters | — | — |
| linuxfoundation | cups-filters | — | — |
| linuxfoundation | cups-filters | — | — |
| linuxfoundation | cups-filters | — | — |
| linuxfoundation | cups-filters | — | — |
| linuxfoundation | cups-filters | >= 0 < 1.0.61-5 | 1.0.61-5 |
| linuxfoundation | cups-filters | >= 0 < 1.0.51-1 | 1.0.51-1 |
| linuxfoundation | cups-filters | >= 0 < 1.0.53-1 | 1.0.53-1 |
| linuxfoundation | cups-filters | >= 0 < 1.0.61-5 | 1.0.61-5 |
| linuxfoundation | cups-filters | >= 0 < 1.0.51-1 | 1.0.51-1 |
| linuxfoundation | cups-filters | >= 0 < 1.0.53-1 | 1.0.53-1 |
| linuxfoundation | cups-filters | >= 0 < 1.0.61-5 | 1.0.61-5 |
| linuxfoundation | cups-filters | >= 0 < 1.0.51-1 | 1.0.51-1 |
CVSS provenance
nvdv2.08.3HIGHAV:A/AC:L/Au:N/C:C/I:C/A:C
osv8.3HIGH
vendor_debian8.3HIGH
vendor_redhat8.3HIGH
vendor_ubuntu8.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4f5g-64px-29pq: The remove_bad_chars function in utils/cups-browsed
ghsa_unreviewed·2022-05-17·CVSS 8.3
CVE-2015-2265 [HIGH] CWE-77 GHSA-4f5g-64px-29pq: The remove_bad_chars function in utils/cups-browsed
The remove_bad_chars function in utils/cups-browsed.c in cups-filters before 1.0.66 allows remote IPP printers to execute arbitrary commands via consecutive shell metacharacters in the (1) model or (2) PDL. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2707.
GHSA
GHSA-cc2p-9m5r-9hc8: cups-browsed in cups-filters 1
ghsa_unreviewed·2022-05-17
CVE-2014-2707 [HIGH] CWE-78 GHSA-cc2p-9m5r-9hc8: cups-browsed in cups-filters 1
cups-browsed in cups-filters 1.0.41 before 1.0.51 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the (1) model or (2) PDL, related to "System V interface scripts generated for queues."
GHSA
GHSA-w4jh-3cpq-48pp: The generate_local_queue function in utils/cups-browsed
ghsa_unreviewed·2022-05-14·CVSS 8.3
CVE-2014-4336 [HIGH] CWE-77 GHSA-w4jh-3cpq-48pp: The generate_local_queue function in utils/cups-browsed
The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cups-filters before 1.0.53 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the host name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2707.
OSV
CVE-2015-2265: The remove_bad_chars function in utils/cups-browsed
osv·2015-03-24·CVSS 8.3
CVE-2015-2265 [HIGH] CVE-2015-2265: The remove_bad_chars function in utils/cups-browsed
The remove_bad_chars function in utils/cups-browsed.c in cups-filters before 1.0.66 allows remote IPP printers to execute arbitrary commands via consecutive shell metacharacters in the (1) model or (2) PDL. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2707.
OSV
CVE-2014-4336: The generate_local_queue function in utils/cups-browsed
osv·2014-06-22·CVSS 8.3
CVE-2014-4336 [HIGH] CVE-2014-4336: The generate_local_queue function in utils/cups-browsed
The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cups-filters before 1.0.53 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the host name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2707.
OSV
cups-filters vulnerability
osv·2014-05-08·CVSS 8.3
CVE-2014-2707 [HIGH] cups-filters vulnerability
cups-filters vulnerability
Sebastian Krahmer discovered that cups-browsed incorrectly filtered remote
printer names and strings. A remote attacker could use this issue to
possibly execute arbitrary commands. (CVE-2014-2707)
Johannes Meixner discovered that cups-browsed ignored invalid BrowseAllow
directives. This could cause it to accept browse packets from all hosts,
contrary to intended configuration.
OSV
CVE-2014-2707: cups-browsed in cups-filters 1
osv·2014-04-17·CVSS 8.3
CVE-2014-2707 [HIGH] CVE-2014-2707: cups-browsed in cups-filters 1
cups-browsed in cups-filters 1.0.41 before 1.0.51 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the (1) model or (2) PDL, related to "System V interface scripts generated for queues."
Red Hat
cups-filters: remote command execution in remove_bad_chars() (incomplete fix for CVE-2014-2707)
vendor_redhat·2015-02-26·CVSS 8.3
CVE-2015-2265 [HIGH] CWE-78 cups-filters: remote command execution in remove_bad_chars() (incomplete fix for CVE-2014-2707)
cups-filters: remote command execution in remove_bad_chars() (incomplete fix for CVE-2014-2707)
The remove_bad_chars function in utils/cups-browsed.c in cups-filters before 1.0.66 allows remote IPP printers to execute arbitrary commands via consecutive shell metacharacters in the (1) model or (2) PDL. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2707.
Statement: Not vulnerable. This issue did not affect the versions of cups-filters as shipped with Red Hat Enterprise Linux 7.
Package: cups-filters (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2015-2265: cups-filters - The remove_bad_chars function in utils/cups-browsed.c in cups-filters before 1.0...
vendor_debian·2015·CVSS 8.3
CVE-2015-2265 [HIGH] CVE-2015-2265: cups-filters - The remove_bad_chars function in utils/cups-browsed.c in cups-filters before 1.0...
The remove_bad_chars function in utils/cups-browsed.c in cups-filters before 1.0.66 allows remote IPP printers to execute arbitrary commands via consecutive shell metacharacters in the (1) model or (2) PDL. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2707.
Scope: local
bookworm: resolved (fixed in 1.0.61-5)
bullseye: resolved (fixed in 1.0.61-5)
forky: resolved (fixed in 1.0.61-5)
sid: resolved (fixed in 1.0.61-5)
trixie: resolved (fixed in 1.0.61-5)
Ubuntu
cups-filters vulnerability
vendor_ubuntu·2014-05-08·CVSS 8.3
CVE-2014-2707 [HIGH] cups-filters vulnerability
Title: cups-filters vulnerability
Summary: Several security issues were fixed in cups-filters.
Sebastian Krahmer discovered that cups-browsed incorrectly filtered remote
printer names and strings. A remote attacker could use this issue to
possibly execute arbitrary commands. (CVE-2014-2707)
Johannes Meixner discovered that cups-browsed ignored invalid BrowseAllow
directives. This could cause it to accept browse packets from all hosts,
contrary to intended configuration.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
cups-filters: incomplete fix for CVE-2014-2707
vendor_redhat·2014-04-23·CVSS 8.3
CVE-2014-4336 [HIGH] cups-filters: incomplete fix for CVE-2014-2707
cups-filters: incomplete fix for CVE-2014-2707
The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cups-filters before 1.0.53 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the host name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2707.
Statement: Not vulnerable. This issue did not affect the versions of cups-filters as shipped with Red Hat Enterprise Linux 7.
Package: cups-filters (Red Hat Enterprise Linux 7) - Not affected
Red Hat
cups-filters: remote command injection in cups-browsed
vendor_redhat·2014-04-01·CVSS 8.3
CVE-2014-2707 [HIGH] cups-filters: remote command injection in cups-browsed
cups-filters: remote command injection in cups-browsed
cups-browsed in cups-filters 1.0.41 before 1.0.51 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the (1) model or (2) PDL, related to "System V interface scripts generated for queues."
Statement: Not vulnerable. This issue did not affect the versions of cups-filters as shipped with Red Hat Enterprise Linux 7.
Package: cups-filters (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2014-4336: cups-filters - The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cup...
vendor_debian·2014·CVSS 8.3
CVE-2014-4336 [HIGH] CVE-2014-4336: cups-filters - The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cup...
The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cups-filters before 1.0.53 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the host name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2707.
Scope: local
bookworm: resolved (fixed in 1.0.53-1)
bullseye: resolved (fixed in 1.0.53-1)
forky: resolved (fixed in 1.0.53-1)
sid: resolved (fixed in 1.0.53-1)
trixie: resolved (fixed in 1.0.53-1)
Debian
CVE-2014-2707: cups-filters - cups-browsed in cups-filters 1.0.41 before 1.0.51 allows remote IPP printers to ...
vendor_debian·2014·CVSS 8.3
CVE-2014-2707 [HIGH] CVE-2014-2707: cups-filters - cups-browsed in cups-filters 1.0.41 before 1.0.51 allows remote IPP printers to ...
cups-browsed in cups-filters 1.0.41 before 1.0.51 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the (1) model or (2) PDL, related to "System V interface scripts generated for queues."
Scope: local
bookworm: resolved (fixed in 1.0.51-1)
bullseye: resolved (fixed in 1.0.51-1)
forky: resolved (fixed in 1.0.51-1)
sid: resolved (fixed in 1.0.51-1)
trixie: resolved (fixed in 1.0.51-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-2265 cups-filters: remote command execution in remove_bad_chars() (incomplete fix for CVE-2014-2707)
bugzilla·2015-03-05·CVSS 8.3
CVE-2015-2265 [HIGH] CVE-2015-2265 cups-filters: remote command execution in remove_bad_chars() (incomplete fix for CVE-2014-2707)
CVE-2015-2265 cups-filters: remote command execution in remove_bad_chars() (incomplete fix for CVE-2014-2707)
It was reported [1] that cups-browsed fails to properly sanitise data from the network when creating IPP printer scripts.
As a result, an attacker can remotely create a script containing arbitrary commands, which will be executed as the "lp" user when the associated printer is used.
This is the same vulnerability reported as CVE-2014-2707 but the existing fixes rely on a string sanitisation function remove_bad_chars() which is not effective.
Details:
The remove_bad_chars() function in utils/cups-browsed.c uses the "j" variable as the index of the character to replace in the string to be sanitised.
Consecutive bad characters cause "j" to be decremented, so can result in the bad
Bugzilla
cups-filters: remote command execution in remove_bad_chars() (incomplete fix for CVE-2014-2707) [fedora-all]
bugzilla·2015-03-05·CVSS 8.3
CVE-2014-2707 [HIGH] cups-filters: remote command execution in remove_bad_chars() (incomplete fix for CVE-2014-2707) [fedora-all]
cups-filters: remote command execution in remove_bad_chars() (incomplete fix for CVE-2014-2707) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
Bugzilla
CVE-2014-4336 cups-filters: incomplete fix for CVE-2014-2707
bugzilla·2014-04-25·CVSS 8.3
CVE-2014-4336 [HIGH] CVE-2014-4336 cups-filters: incomplete fix for CVE-2014-2707
CVE-2014-4336 cups-filters: incomplete fix for CVE-2014-2707
According to Sebastian Krahmer, the initial fix for CVE-2014-2707 (bug #1083326) is incomplete:
"
This issue was reported as fixed in 1.0.51:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7188
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7189
but it was found that the fix was incomplete with the full fix in 1.0.53:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7194
"
The CVE-2014-2707 flaw is regarding the cups-browsed daemon being manipulated to execute arbitrary commands via malicious broadcast packets.
Discussion:
Created cups-filters tracking bugs for this issue:
Affects: fedora-all [bug 1091569]
---
cups-filters-1.0.53-1.fc
Bugzilla
CVE-2014-2707 cups-filters: remote command injection in cups-browsed
bugzilla·2014-04-02·CVSS 8.3
CVE-2014-2707 [HIGH] CVE-2014-2707 cups-filters: remote command injection in cups-browsed
CVE-2014-2707 cups-filters: remote command injection in cups-browsed
cups-browsed is daemon which browses the Bonjour broadcasts of shared, remote CUPS printers and makes the printers available locally. Sebastian Krahmer discovered it was possible to use malicious broadcast packets to execute arbitrary commands.
Original report: http://seclists.org/oss-sec/2014/q2/3
Discussion:
Created cups-filters tracking bugs for this issue:
Affects: fedora-all [bug 1083327]
---
cups-browsed is provided via the cups-filters package. The cups-filters package is not available in Red Hat Enterprise Linux 5 and 6.
---
I just examined each instance of '%s' in utils/cups-browsed.c and couldn't see this vulnerability anywhere in the source code.
I think the command injection is part of a feature that
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7188#NEWShttp://lists.fedoraproject.org/pipermail/package-announce/2014-April/131485.htmlhttp://seclists.org/oss-sec/2014/q2/13http://secunia.com/advisories/57530http://www.ubuntu.com/usn/USN-2210-1https://bugzilla.redhat.com/show_bug.cgi?id=1083326http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7188#NEWShttp://lists.fedoraproject.org/pipermail/package-announce/2014-April/131485.htmlhttp://seclists.org/oss-sec/2014/q2/13http://secunia.com/advisories/57530http://www.ubuntu.com/usn/USN-2210-1https://bugzilla.redhat.com/show_bug.cgi?id=1083326
2014-04-17
Published