Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN604 _____________________________________________________________________ DATE : 12/09/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running cups versions up to and including 2.4.13. ===================================================================== https://github.com/OpenPrinting/cups/security/advisories/GHSA-4c68-qgrh-rmmq https://github.com/OpenPrinting/cups/security/advisories/GHSA-7qx3-r744-6qv4 _____________________________________________________________________ CVE-2025-58060 cups: Authentication bypass with AuthType Negotiate High zdohnal published GHSA-4c68-qgrh-rmmq Sep 11, 2025 Package cups Affected versions <2.4.13 Patched versions None Description Summary When the AuthType is set to anything but Basic, if the request contains an Authorization: Basic ... header, the password is not checked. Details When the Authorization header is set to Basic, but in scheduler/auth.c cupsdAuthorize type is not CUPSD_AUTH_BASIC, the step with checking the password is skipped. PoC Configure CUPS with DefaultAuthType Negotiate. Start CUPS Send a request to CUPS with Authorization: Basic $(echo -n admin:x | base64), where admin is an administrator username and x is literally the string x. Impact Authentication bypass. Any configuration that allows an AuthType that is not Basic is affected. Severity High 8.0/ 10 CVSS v3 base metrics Attack vector Local Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality Low Integrity High Availability High CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H CVE ID CVE-2025-58060 Weaknesses No CWEs Credits @hvenev-insait hvenev-insait Reporter _____________________________________________________________________ CVE-2025-58364 cups: Remote DoS via null dereference Moderate zdohnal published GHSA-7qx3-r744-6qv4 Sep 11, 2025 Package cups (cups) Affected versions <2.4.12 Patched versions None Description Summary An unsafe deserialization and validation of printer attributes, causes null dereference in libcups library Details The combination of: request = ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES) response = cupsDoRequest(http_xyz, request, resource); ippValidateAttributes(response) Is shown in two places in OpenPrinting: cups/scheduler/ipp.c libcupsfilters/cupsfilters/ipp.c Due to a logic error in ipp_read_io() which is called internally by cupsDoRequest(), ippValidateAttributes() has a null dereference. The null dereference happens in these lines for (ptr = attr->values[i].string.text; *ptr; ptr ++) This can happen if an attacker responds with a crafted printer attributes response. PoC Have two machines on the same network. attacker_machine and target_machine. I used both Ubuntu 24.04.2 LTS Download and unzip attached zip on the attacker_machine poc.zip On the target_machine, ensure cups and cups-browsed are running. On my target_machine I had both: $ cups-browsed --version cups-browsed version 2.0.0 $ cups-config --version 2.4.7 And self built instances of versions: cups-2.4.12 cups-browsed-2.1.1 libcupsfilters-2.1.1 libppd-2.1.1 The bug reproduced on both. 4. On attacker_machine stop cups service 5. On attacker machine install the needed python module specified in requirements.txt 6. On attacker machine run python printer.py {path to response file} {local ip} 7. Ensure that cups-browsed crashed on target_machine. Another POC: If you want to reproduce it locally, and to debug it easier, you can use : local_poc.zip Compile this binary that uses the flow of ipp_read_io() & ippValidateAttributes() to reproduce the bug. Impact This is a remote DoS vulnerability available in local subnet in default configurations. It can cause the cups & cups-browsed to crash, on all the machines in local network who are listening for printers (so by default for all regular linux machines). On systems where the vulnerability CVE-2024-47176 (cups-filters 1.x/cups-browsed 2.x vulnerability) was not fixed, and the firewall on the machine does not reject incoming communication to IPP port, and the machine is set to be available to public internet, attack vector "Network" is possible. The current versions of CUPS and cups-browsed projects have the attack vector "Adjacent" in their default configurations. Severity Moderate 6.5/ 10 CVSS v3 base metrics Attack vector Adjacent Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID CVE-2025-58364 Weaknesses Weakness CWE-20 Weakness CWE-476 Credits @SilverPlate3 SilverPlate3 Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================