CVE-2017-18190 : A localhost.localdomain whitelist entry in valid

A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).

Published 2018-02-16 17:29:00

Updated 2019-10-03 00:03:26

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2017-18190

Debian » Debian Linux » Version: 7.0
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Apple » Cups
Versions before (<) 2.2.2
cpe:2.3:a:apple:cups:*:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Matching versions

Threat overview for CVE-2017-18190

Top countries where our scanners detected CVE-2017-18190

Top open port discovered on systems with this issue 631

IPs affected by CVE-2017-18190 137,314

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2017-18190!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2017-18190

EPSS FAQ

0.22%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 42 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-18190

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2017-18190

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-18190

https://lists.debian.org/debian-lts-announce/2018/02/msg00023.html

[SECURITY] [DLA 1288-1] cups security update
Mailing List;Third Party Advisory
https://usn.ubuntu.com/3577-1/

USN-3577-1: CUPS vulnerability | Ubuntu security notices
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00003.html

[SECURITY] [DLA 1412-1] cups security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://bugs.chromium.org/p/project-zero/issues/detail?id=1048

1048 - CUPS: incorrect whitelist permits DNS rebinding attacks - project-zero - Monorail
Exploit;Issue Tracking;Third Party Advisory
https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41

Don't treat "localhost.localdomain" as an allowed replacement for loc… · apple/cups@afa80cb · GitHub
Patch;Third Party Advisory