Apple CUPS 2 (pervasive printer software used by Mac OS, most distributions of Linux) contains a local privilege escalation vulnerability prior to version 499.4.
High - Exploiting the vulnerability will give a local unprivileged attacker root level privileges.
Medium - Any authenticated local user can exploit the vulnerability and an exploit is trivial to produce.
CVE-2022-26691
CWE-288: Authentication Bypass Using an Alternate Path or Channel
Base Score: 8.4 - Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N/E:F/RC:C/CR:H/IR:H/MAV:L/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H
In addition to basic web authentication, CUPS allows authentication via a 32 byte randomly generated hex string created at runtime. This alternative form of authentication ("Local" Authentication) employs a buggy string compare function (ctcompare()) which allows an attacker to authenticate as root using an empty string, alleviating any need for the 32 byte random secret. Once authenticated to CUPS as root, arbitrary code execution with root privileges is trivially easy to accomplish.
The issue was fixed in Apple CUPS2 499.4. Update to this version to address the vulnerability.
- Joshua Mason, Mandiant
- 03-Dec-2021 - Issue reported to Apple
- 01-Feb-2022 - Issue confirmed by Apple and patch planned
- 08-Mar-2022 - MacOS Monterey 12.3 Released, CUPS Patched, omitted from patch release notes
- 03-May-2022 - Apple CUPS 2 source code patched
- 25-May-2022 - CVE Released/CUPS fix noted in Monterey 12.3 release notes