OpenPrinting CUPS Use-After-Free Vulnerability in Temporary Printer Deletion Allowing Denial-of-Service and Potential Code Execution

A use-after-free vulnerability has been identified in OpenPrinting CUPS versions through 2.4.16. The issue arises in the CUPS scheduler when temporary printers are automatically deleted. The function 'cupsdDeleteTemporaryPrinters()' calls 'cupsdDeletePrinter()' without first expiring related subscriptions, leaving a dangling pointer to freed memory. This pointer is later dereferenced at multiple points, causing a crash of the 'cupsd' daemon. With heap grooming, this vulnerability could be exploited for code execution.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the 'cupsd' daemon to crash. This disrupts printing services until the daemon is manually restarted. Additionally, the vulnerability could be leveraged for unauthorized code execution.

Reproduction

To reproduce this vulnerability, first configure a printer in CUPS versions through 2.4.16. Ensure the printer is set to non-temporary so it remains after a restart. Then, create a subscription for the printer using the IPP 'Create-Printer-Subscription' operation, which does not require authentication by default. After the subscription is established, modify the printer to be temporary. The next time the CUPS scheduler runs, the 'cupsdDeleteTemporaryPrinters()' function will delete the printer without expiring the subscription, creating a dangling pointer. This pointer can then be dereferenced, triggering the use-after-free vulnerability.

Remediation

No official patch is available for this vulnerability. However, administrators can add authentication requirements for 'CUPS-Create-Local-Printer' in 'cupsd.conf' to prevent exploitation, though this may disrupt normal localhost printing functionality.