Cups SSL is vulnerable to POODLE

Bug #1505328 reported by Bryan Quigley
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cups (Ubuntu)
High
Unassigned
Trusty
High
Marc Deslauriers

Bug Description

[Impact]

 * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default.
 * Users who have clients that don't support TLS1.0 will not be able to connect, unless
 they specify the additional options in cupsd.conf.

[Test Case]

 * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None
   * This should show up as having RC4 and SSLv3 disabled via a test like ssllabs.
 * Same but specify SSLOptions to AllowSSL3 or AllowRC4.

[Regression Potential]

 * One assumption was this should only affect WinXP and even then only IE6 winxp users. If incorrect more could be affected.

 * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in some unknown corner case. There's no evidence of this and other distros have deployed a very similar patch.

[Other Info]

 * Only targetting 14.04 because of my assumption that if you're on 12.04 you are more likely to have older clients connecting to it.

Original description:

On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config.

Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on

Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Upstream fix - https://www.cups.org/str.php?L4476

Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on?

CVE References

information type: Public → Public Security
tags: added: poodle
Revision history for this message
Bryan Quigley (bryanquigley) wrote :
Revision history for this message
Bryan Quigley (bryanquigley) wrote :

Patch in progress for 14.04 http://pastebin.ubuntu.com/12904343/ for some reason fails to fix Poodle on TLS issue.

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

None of these issues exist in vivid, cups version 2.0.2-1ubuntu3.2. No RC4, No SSLv3, No Poodle on TLS. Would have an A- rating (if it was a valid domain/cert).

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

Interesting - 14.10 has SSLv3, RC4 issues, but Poodle on TLS is not there (overall grade C). Cups 1.7.5-3ubuntu3.2, libgnutls-deb0-28
vs 14.04 - cups 1.7.2-0ubuntu1.6, libgnutls26

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

Test fix for 14.04 is available here - http://people.canonical.com/~bryanquigley/cups-1505328

Does anyone need this fix for 12.04?

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

Made it into a more proper ppa for 14.04 - https://launchpad.net/~bryanquigley/+archive/ubuntu/ppa

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

I'm thinking it makes sense to do this as a normal (not security update) as it changes the default config.

For 12.04, I haven't seen any demand to backport this.

Revision history for this message
Bryan Quigley (bryanquigley) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "now current debdiff (fixes accidentally included file)" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Mathew Hodson (mhodson)
tags: added: precise trusty
Changed in cups (Ubuntu):
importance: Undecided → High
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

1- The debdiff in comment #9 still contains an extra cups-1.7.2/lets_patch_this.patch section. Could you please remove it?
2- Please add an origin tag to the patch that traces back to redhat's 1161172 bug, since I believe that's what you based the backport on

3- Also, I don't think we should do this change:

@@ -4811,7 +4813,10 @@
   if (http->encryption == HTTP_ENCRYPTION_REQUIRED && !http->tls)
   {
     httpSetField(http, HTTP_FIELD_CONNECTION, "Upgrade");
- httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0");
+ if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+ httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0,SSL/3.0");
+ else
+ httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0");
   }
 #endif /* HAVE_SSL */

@@ -5572,7 +5590,10 @@

   httpClearFields(http);
   httpSetField(http, HTTP_FIELD_CONNECTION, "upgrade");
- httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0");
+ if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+ httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0,SSL/3.0");
+ else
+ httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0");

   if ((ret = httpOptions(http, "*")) == 0)
   {

It doesn't make sense to "upgrade" to sslv3.

So, looking at the patch, I believe this should be an SRU, and not a security update.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Also, please add "(LP: #1505328)" to the debian/changelog.

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

Really fixed extra file, added LP #, and removed "Upgrade to SSLv3" part.

description: updated
description: updated
Changed in cups (Ubuntu Trusty):
importance: Undecided → High
status: New → Triaged
Revision history for this message
Bryan Quigley (bryanquigley) wrote :

Forgot to mark it fixed in devel (since wily at least)

Changed in cups (Ubuntu):
status: New → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This part of the patch is wrong:

@@ -895,18 +922,6 @@ _cupsSetDefaults(void)
       * Look for ~/.cups/client.conf...
       */

- snprintf(filename, sizeof(filename), "%s/.cups/client.conf", home);
- fp = cupsFileOpen(filename, "r");
- }
- else
- fp = NULL;
-
- if (!fp)
- {
- /*
- * Look for CUPS_SERVERROOT/client.conf...
- */
-
       snprintf(filename, sizeof(filename), "%s/client.conf",
                cg->cups_serverroot);
       fp = cupsFileOpen(filename, "r");

It is removing the section that reads ~/.cups/client.conf instead of removing the section that reads CUPS_SERVERROOT/client.conf that got moved higher up in the code.

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

New debdiff with fix for C#15

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the updated debdiff, thanks!

I've changed my mind, and will release it as a security update after all if testing goes well.

Thanks!

Changed in cups (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups - 1.7.2-0ubuntu1.7

---------------
cups (1.7.2-0ubuntu1.7) trusty-security; urgency=medium

  * Disable SSLv3 with option to turn back on.
    - debian/patches/disable-sslv3.patch: AllowSSL3 turns SSLv3
      back on and AllowRC4 turns on just the RC4 cypers. (LP: #1505328)

 -- Bryan Quigley <email address hidden> Tue, 10 Nov 2015 21:08:44 +0000

Changed in cups (Ubuntu Trusty):
status: Triaged → Fix Released
summary: - Cups SSL is vulernable to POODLE
+ Cups SSL is vulnerable to POODLE
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.