CVE-2018-4180
cups: Local privilege escalation to root due to insecure environment variable handling
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In macOS High Sierra before 10.13.5, an issue existed in CUPS. This issue was addressed with improved access restrictions.
En macOS High Sierra en versiones anteriores a la 10.13.5, existÃa un problema en CUPS. Este problema se abordó mediante la mejora de las restricciones de acceso.
It was discovered that CUPS allows non-root users to pass environment variables to CUPS backends. Affected backends use attacker-controlled environment variables without proper sanitization. A local attacker, who is part of one of the groups specified in the SystemGroups directive, could use the cupsctl binary to set SetEnv and PassEnv directives and potentially controls the flow of the affected backend, resulting in some cases in arbitrary code execution with root privileges.
It was discovered that CUPS incorrectly handled certain print jobs with invalid usernames. A remote attacker could possibly use this issue to cause CUPS to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 17.10 and Ubuntu 18.04 LTS. Dan Bastone discovered that the CUPS dnssd backend incorrectly handled certain environment variables. A local attacker could possibly use this issue to escalate privileges. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-01-02 CVE Reserved
- 2018-07-11 CVE Published
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-642: External Control of Critical State Data
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2018/07/msg00014.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://security.gentoo.org/glsa/201908-08 | 2019-10-03 | |
| https://support.apple.com/HT208849 | 2019-10-03 | |
| https://usn.ubuntu.com/3713-1 | 2019-10-03 | |
| https://www.debian.org/security/2018/dsa-4243 | 2019-10-03 | |
| https://access.redhat.com/security/cve/CVE-2018-4180 | 2020-03-31 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1607282 | 2020-03-31 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apple Search vendor "Apple" | Mac Os X Search vendor "Apple" for product "Mac Os X" | < 10.13.5 Search vendor "Apple" for product "Mac Os X" and version " < 10.13.5" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 17.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "17.10" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||