CVE-2017-18190
cups: DNS rebinding attacks via incorrect whitelist
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).
Una entrada en la lista blanca localhost.localdomain en valid_host() en scheduler/client.c en CUPS, en versiones anteriores a la 2.2.2, permite que atacantes remotos ejecuten comandos IPP arbitrarios mediante el envĂo de peticiones POST al demonio CUPS junto con reenlaces DNS. El nombre localhost.localdomain suele resolverse mediante un servidor DNS (ni el sistema operativo ni el navegador web son responsables de garantizar que localhost.localdomain sea 127.0.0.1).
Jann Horn discovered that CUPS permitted HTTP requests with the Host header set to "localhost.localdomain" from the loopback interface. If a user were tricked in to opening a specially crafted website in their web browser, an attacker could potentially exploit this to obtain sensitive information or control printers, via a DNS rebinding attack.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-02-16 CVE Reserved
- 2018-02-16 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-284: Improper Access Control
- CWE-290: Authentication Bypass by Spoofing
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2018/02/msg00023.html | Mailing List |
|
https://lists.debian.org/debian-lts-announce/2018/07/msg00003.html | Mailing List |
|
URL | Date | SRC |
---|---|---|
https://bugs.chromium.org/p/project-zero/issues/detail?id=1048 | 2024-08-05 |
URL | Date | SRC |
---|---|---|
https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41 | 2019-10-03 |
URL | Date | SRC |
---|---|---|
https://usn.ubuntu.com/3577-1 | 2019-10-03 | |
https://access.redhat.com/security/cve/CVE-2017-18190 | 2020-09-29 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1546395 | 2020-09-29 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apple Search vendor "Apple" | Cups Search vendor "Apple" for product "Cups" | < 2.2.2 Search vendor "Apple" for product "Cups" and version " < 2.2.2" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Affected
|