oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-58060 cups: Authentication bypass with AuthType Negotiate

From: Zdenek Dohnal <zdohnal () redhat com>
Date: Thu, 11 Sep 2025 15:05:30 +0200
Hi all,

there is important security vulnerability in CUPS:


   Description


     Summary
When the |AuthType| is set to anything but |Basic|, if the request contains an |Authorization: Basic ...| header, the password is not checked. 


     Details
When the |Authorization| header is set to |Basic|, but in |scheduler/auth.c| |cupsdAuthorize| |type| is not |CUPSD_AUTH_BASIC|, the step with checking the password is skipped. 


     PoC

- Configure CUPS with |DefaultAuthType Negotiate|.
- Start CUPS
- curl -v -X PUT -d 'haha' -H "Authorization: Basic $(echo -n root:x | base64)" http://127.0.0.1:631/admin/conf/cupsd.conf 
- cat /etc/cups/cupsd.conf
haha


     Impact
Authentication bypass. Any configuration that allows an |AuthType| that is not |Basic| is affected.
Versions lower than 2.4.3 are affected in less serious way - if attacker provides valid credentials for Basic authentication  and cupsd requires Kerberos authentication on resource (and vice versa), the attack is still possible because cupsd ignores its own authentication settings if the creds are valid. In those cases, the prerequisite for the attack is the attacker would obtain allowed user credentials/Kerberos ticket, which is more difficult. 

Patch
https://github.com/OpenPrinting/cups/commit/595d691075b1d39



Have a nice day,


Zdenek Dohnal

--
Zdenek Dohnal
Senior Software Engineer
Red Hat, BRQ-TPBC
Previous By Date Next
Previous By Thread Next

Current thread: