Sign-up

ID

VAR-201912-0015


CVE

CVE-2012-6094


TITLE

cups Vulnerable to unauthorized authentication

Trust: 0.8

sources: JVNDB: JVNDB-2012-006524

DESCRIPTION

cups (Common Unix Printing System) 'Listen localhost:631' option not honored correctly which could provide unauthorized access to the system. CUPS is prone to an unauthorized-access vulnerability. Successful exploits may allow an attacker to gain unauthorized access to the affected application. This may aid in further attacks. Apple CUPS is an open source printing system for OS X and Unix-like systems developed by Apple. The system is based on the Internet Printing Protocol (IPP) and provides most PostScript and raster printer services. The vulnerability stems from the incorrect execution of the Listen localhost:631 option. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:034 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : cups Date : April 5, 2013 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated cups packages fixes bugs and security vulnerabilities: During the process of CUPS socket activation code refactoring in favour of systemd capability a security flaw was found in the way CUPS service honoured Listen localhost:631 cupsd.conf configuration option. The setting was recognized properly for IPv4-enabled systems, but failed to be correctly applied for IPv6-enabled systems. The fix for now is to not enable IP-based systemd socket activation by default. This update adds a patch to correct printing problems with some USB connected printers in cups 1.5.4. Further, this update should correct possible printing problems with the following printers since the update to cups 1.5.4. Canon, Inc. PIXMA iP4200 Canon, Inc. PIXMA iP4300 Canon, Inc. MP500 Canon, Inc. MP510 Canon, Inc. MP550 Canon, Inc. MP560 Brother Industries, Ltd, HL-1430 Laser Printer Brother Industries, Ltd, HL-1440 Laser Printer Oki Data Corp. Okipage 14ex Printer Oki Data Corp. B410d Xerox Phaser 3124 All Zebra devices Additionally, patches have been added to fix printing from newer apple devices and to correct an error in the \%post script which prevented the cups service from starting when freshly installed. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6094 https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0004 https://wiki.mageia.org/en/Support/Advisories/MGAA-2012-0244 _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 22ad3c19cc176891f254e5790e7e7e46 mbs1/x86_64/cups-1.5.4-1.1.mbs1.x86_64.rpm 5cad70e9e106847daf5388602935be87 mbs1/x86_64/cups-common-1.5.4-1.1.mbs1.x86_64.rpm a1bca7ac4b67c7e772ceb824e1190364 mbs1/x86_64/cups-serial-1.5.4-1.1.mbs1.x86_64.rpm 264190cf1f165dfdb46faa0e7f552ba2 mbs1/x86_64/lib64cups2-1.5.4-1.1.mbs1.x86_64.rpm f49fb184abab1efa7bf9e305535cd5c7 mbs1/x86_64/lib64cups2-devel-1.5.4-1.1.mbs1.x86_64.rpm bba301db543453de3c4866889c90db7c mbs1/x86_64/php-cups-1.5.4-1.1.mbs1.x86_64.rpm c68861ca8c504c902f6b7f2fc30826ef mbs1/SRPMS/cups-1.5.4-1.1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRXqHYmqjQ0CJFipgRAp+dAKD1tEIrhgBKyFkl9RxqU/b/0eL/jwCgmWRu JvVlHKsOtpeF2zU7vMblKXw= =lGWJ -----END PGP SIGNATURE-----

Trust: 2.16

sources: NVD: CVE-2012-6094 // JVNDB: JVNDB-2012-006524 // BID: 57158 // VULHUB: VHN-59375 // VULMON: CVE-2012-6094 // PACKETSTORM: 121094

AFFECTED PRODUCTS

vendor:debianmodel:linuxscope:eqversion:10.0

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:8.0

Trust: 1.0

vendor:applemodel:cupsscope:ltversion:1.5.4-1.1

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:debianmodel:gnu/linuxscope: - version: -

Trust: 0.8

vendor:applemodel:cupsscope: - version: -

Trust: 0.8

vendor:mandrivamodel:business serverscope:eqversion:1x8664

Trust: 0.3

vendor:mandrivamodel:business serverscope:eqversion:1

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:0

Trust: 0.3

sources: BID: 57158 // JVNDB: JVNDB-2012-006524 // NVD: CVE-2012-6094

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2012-6094
value: CRITICAL

Trust: 1.0

NVD: CVE-2012-6094
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201301-118
value: CRITICAL

Trust: 0.6

VULHUB: VHN-59375
value: MEDIUM

Trust: 0.1

VULMON: CVE-2012-6094
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2012-6094
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-59375
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2012-6094
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2012-6094
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-59375 // VULMON: CVE-2012-6094 // JVNDB: JVNDB-2012-006524 // CNNVD: CNNVD-201301-118 // NVD: CVE-2012-6094

PROBLEMTYPE DATA

problemtype:CWE-863

Trust: 1.9

sources: VULHUB: VHN-59375 // JVNDB: JVNDB-2012-006524 // NVD: CVE-2012-6094

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 121094 // CNNVD: CNNVD-201301-118

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201301-118

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2012-006524

PATCH
title:Top Pageurl:https://www.apple.com/
Trust: 0.8
title:CVE-2012-6094url:https://security-tracker.debian.org/tracker/CVE-2012-6094
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2012-006524

EXTERNAL IDS
db:NVDid:CVE-2012-6094
Trust: 3.0
db:BIDid:57158
Trust: 2.9
db:OPENWALLid:OSS-SECURITY/2013/01/04/5
Trust: 1.8
db:JVNDBid:JVNDB-2012-006524
Trust: 0.8
db:CNNVDid:CNNVD-201301-118
Trust: 0.7
db:OPENWALLid:OSS-SECURITY/2013/01/04/1
Trust: 0.3
db:PACKETSTORMid:121094
Trust: 0.2
db:VULHUBid:VHN-59375
Trust: 0.1
db:VULMONid:CVE-2012-6094
Trust: 0.1
sources:
            
            
            VULHUB: VHN-59375 // 
            
            
            
            VULMON: CVE-2012-6094 // 
            
            
            
            BID: 57158 // 
            
            
            
            JVNDB: JVNDB-2012-006524 // 
            
            
            
            PACKETSTORM: 121094 // 
            
            
            
            CNNVD: CNNVD-201301-118 // 
            
            
            
            NVD: CVE-2012-6094

REFERENCES
url:http://www.securityfocus.com/bid/57158
Trust: 2.7
url:https://access.redhat.com/security/cve/cve-2012-6094
Trust: 1.8
url:http://www.openwall.com/lists/oss-security/2013/01/04/5
Trust: 1.8
url:https://bugzilla.redhat.com/show_bug.cgi?id=cve-2012-6094
Trust: 1.8
url:https://bugzilla.suse.com/show_bug.cgi?id=cve-2012-6094
Trust: 1.8
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/82451
Trust: 1.8
url:https://security-tracker.debian.org/tracker/cve-2012-6094
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2012-6094
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-6094
Trust: 0.9
url:https://bugzilla.redhat.com/show_bug.cgi?id=891942
Trust: 0.3
url:http://www.openwall.com/lists/oss-security/2013/01/04/1
Trust: 0.3
url:http://seclists.org/oss-sec/2013/q1/16
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/863.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://wiki.mageia.org/en/support/advisories/mgasa-2013-0004
Trust: 0.1
url:http://www.mandriva.com/en/support/security/
Trust: 0.1
url:http://www.mandriva.com/en/support/security/advisories/
Trust: 0.1
url:https://wiki.mageia.org/en/support/advisories/mgaa-2012-0244
Trust: 0.1
sources:
            
            
            VULHUB: VHN-59375 // 
            
            
            
            VULMON: CVE-2012-6094 // 
            
            
            
            BID: 57158 // 
            
            
            
            JVNDB: JVNDB-2012-006524 // 
            
            
            
            PACKETSTORM: 121094 // 
            
            
            
            CNNVD: CNNVD-201301-118 // 
            
            
            
            NVD: CVE-2012-6094

CREDITS
Bernhard Wiedemann
Trust: 0.9
sources:
            
            
            BID: 57158 // 
            
            
            
            CNNVD: CNNVD-201301-118

SOURCES
db:VULHUBid:VHN-59375
db:VULMONid:CVE-2012-6094
db:BIDid:57158
db:JVNDBid:JVNDB-2012-006524
db:PACKETSTORMid:121094
db:CNNVDid:CNNVD-201301-118
db:NVDid:CVE-2012-6094

LAST UPDATE DATE
2024-08-14T14:56:36.905000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-59375date:2020-01-09T00:00:00
db:VULMONid:CVE-2012-6094date:2020-11-16T00:00:00
db:BIDid:57158date:2015-04-13T22:11:00
db:JVNDBid:JVNDB-2012-006524date:2020-01-22T00:00:00
db:CNNVDid:CNNVD-201301-118date:2020-01-17T00:00:00
db:NVDid:CVE-2012-6094date:2020-11-16T20:46:04.037

SOURCES RELEASE DATE
db:VULHUBid:VHN-59375date:2019-12-20T00:00:00
db:VULMONid:CVE-2012-6094date:2019-12-20T00:00:00
db:BIDid:57158date:2012-12-21T00:00:00
db:JVNDBid:JVNDB-2012-006524date:2020-01-22T00:00:00
db:PACKETSTORMid:121094date:2013-04-05T21:13:16
db:CNNVDid:CNNVD-201301-118date:2012-12-21T00:00:00
db:NVDid:CVE-2012-6094date:2019-12-20T15:15:11.420