MNDT-2022-0026
Description
Apple CUPS 2 (pervasive printer software used by Mac OS, most distributions of Linux) contains a local privilege escalation vulnerability prior to version 499.4.
Impact
High - Exploiting the vulnerability will give a local unprivileged attacker root level privileges.
Exploitability
Medium - Any authenticated local user can exploit the vulnerability and an exploit is trivial to produce.
CVE Reference
CVE-2022-26691
Common Weakness Enumeration
CWE-288: Authentication Bypass Using an Alternate Path or Channel
Common Vulnerability Scoring System
Base Score: 8.4 - Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N/E:F/RC:C/CR:H/IR:H/MAV:L/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H
Technical Details
In addition to basic web authentication, CUPS allows authentication via a 32 byte randomly generated hex string created at runtime. This alternative form of authentication ("Local" Authentication) employs a buggy string compare function (ctcompare()) which allows an attacker to authenticate as root using an empty string, alleviating any need for the 32 byte random secret. Once authenticated to CUPS as root, arbitrary code execution with root privileges is trivially easy to accomplish.
Resolution
The issue was fixed in Apple CUPS2 499.4. Update to this version to address the vulnerability.
Discovery Credits
- Joshua Mason, Mandiant
Disclosure Timeline
- 03-Dec-2021 - Issue reported to Apple
- 01-Feb-2022 - Issue confirmed by Apple and patch planned
- 08-Mar-2022 - MacOS Monterey 12.3 Released, CUPS Patched, omitted from patch release notes
- 03-May-2022 - Apple CUPS 2 source code patched
- 25-May-2022 - CVE Released/CUPS fix noted in Monterey 12.3 release notes