Bug 1081557 (CVE-2017-18190)

Summary: VUL-0: CVE-2017-18190: cups: The 'localhost.localdomain' whitelist entry in CUPS before 2.2.2 allows remote attackers to access the local cupsd on 127.0.0.1 via DNS rebinding attack.
Product: [Novell Products] SUSE Security Incidents Reporter: Karol Babioch <karol>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: astieger, jsmeix, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: SLES 12   
URL: https://smash.suse.de/issue/200339/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Karol Babioch 2018-02-19 13:16:14 UTC
CVE-2017-18190

A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in
CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by
sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The
localhost.localdomain name is often resolved via a DNS server (neither the OS
nor the web browser is responsible for ensuring that localhost.localdomain is
127.0.0.1).

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1546395
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18190
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18190.html
https://bugs.chromium.org/p/project-zero/issues/detail?id=1048
https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41
Comment 1 Karol Babioch 2018-02-19 13:17:14 UTC
Affected:

- SUSE:SLE-12:Update

Not affected:

- SUSE:SLE-10-SP3:Update
- SUSE:SLE-11:Update

Upstream fix: https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41
Comment 2 Karol Babioch 2018-02-19 13:25:31 UTC
https://build.suse.de/request/show/155229
Comment 3 Johannes Meixner 2018-02-20 08:57:26 UTC
Mainly for the sake of completeness:
I checked /etc/hosts on my SLE12 (and also SLE11) system and
there we do not have an entry for 'localhost.localdomain'
(we only have entries for 'localhost') so that on SLE
'localhost.localdomain' is resolved via a DNS server.
Comment 4 Swamp Workflow Management 2018-03-05 14:12:08 UTC
SUSE-SU-2018:0604-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1081557
CVE References: CVE-2017-18190
Sources used:
SUSE OpenStack Cloud 6 (src):    cups-1.7.5-20.3.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    cups-1.7.5-20.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    cups-1.7.5-20.3.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    cups-1.7.5-20.3.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    cups-1.7.5-20.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    cups-1.7.5-20.3.1
SUSE Linux Enterprise Server 12-SP2 (src):    cups-1.7.5-20.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    cups-1.7.5-20.3.1
SUSE Linux Enterprise Server 12-LTSS (src):    cups-1.7.5-20.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    cups-1.7.5-20.3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    cups-1.7.5-20.3.1
Comment 5 Andreas Stieger 2018-03-06 19:21:23 UTC
showing as done here
Comment 6 Swamp Workflow Management 2018-03-06 23:11:40 UTC
openSUSE-SU-2018:0618-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1081557
CVE References: CVE-2017-18190
Sources used:
openSUSE Leap 42.3 (src):    cups-1.7.5-12.3.1