]>
Commit | Line | Data |
---|---|---|
4744bd90 | 1 | <HTML> |
2 | <!-- SECTION: Getting Started --> | |
3 | <HEAD> | |
4 | <TITLE>Server Security</TITLE> | |
5 | </HEAD> | |
6 | <BODY> | |
7 | ||
8 | <P>In the default "standalone" configuration, there are few | |
9 | potential security risks - the CUPS server does not accept remote | |
10 | connections, and only accepts shared printer information from the | |
11 | local subnet. When you share printers and/or enable remote | |
12 | adminstration, you expose your system to potential unauthorized | |
13 | access. This help page provides an analysis of possible CUPS | |
14 | security concerns and describes how to better secure your | |
15 | server.</P> | |
16 | ||
17 | <H2 CLASS="title"><A NAME="AUTHENTICATION">Authentication Issues</A></H2> | |
18 | ||
19 | <P>When you enable remote administration, the server will use | |
20 | Basic authentication for adminstration tasks. The current CUPS | |
21 | server supports Basic, Digest, and local certificate | |
22 | authentication:</P> | |
23 | ||
24 | <OL> | |
25 | ||
26 | <LI>Basic authentication essentially places the clear | |
27 | text of the username and password on the network. | |
28 | ||
29 | <P>Since CUPS uses the system username and password | |
30 | account information, the authentication information could | |
31 | be used to gain access to possibly privileged accounts on | |
32 | the server.</P> | |
33 | ||
34 | <P><B>Recommendation:</B> Enable encryption to hide the | |
e1d6a774 | 35 | username and password information - this is the default on |
36 | MacOS X and systems with GNU TLS or OpenSSL installed.</P></LI> | |
4744bd90 | 37 | |
38 | <LI>Digest authentication uses an MD5 checksum of the | |
39 | username, password, and domain ("CUPS"), so the original | |
40 | username and password is not sent over the network. | |
41 | ||
42 | <P>The current implementation does not authenticate the | |
43 | entire message and uses the client's IP address for the | |
44 | nonce value, making it possible to launch "man in the | |
45 | middle" and replay attacks from the same client.</P> | |
46 | ||
47 | <P><B>Recommendation:</B> Enable encryption to hide the | |
48 | username and password information.</P></LI></LI> | |
49 | ||
50 | <LI>Local certificate authentication passes 128-bit | |
51 | "certificates" that identify an authenticated user. | |
52 | Certificates are created on-the-fly from random data and | |
53 | stored in files under <VAR>/var/run/cups/certs</VAR>. | |
54 | They have restricted read permissions: root + | |
e1d6a774 | 55 | system-group(s) for the root certificate, and lp + lp |
56 | for CGI certificates. | |
4744bd90 | 57 | |
58 | <P>Because certificates are only available on the local | |
59 | system, the CUPS server does not accept local | |
60 | authentication unless the client is connected to the | |
61 | loopback interface (127.0.0.1 or ::1) or domain | |
62 | socket.</P> | |
63 | ||
64 | <P><B>Recommendation:</B> Ensure that unauthorized users | |
65 | are not added to the system group(s).</P></LI></LI> | |
66 | ||
67 | </OL> | |
68 | ||
69 | <H2 CLASS="title"><A NAME="DOS">Denial of Service Attacks</A></H2> | |
70 | ||
71 | <P>When printer sharing or remote administration is enabled, the | |
72 | CUPS server, like all Internet services, is vulnerable to a | |
73 | variety of denial of service attacks:</P> | |
74 | ||
75 | <OL> | |
76 | ||
77 | <LI>Establishing multiple connections to the server until | |
78 | the server will accept no more. | |
79 | ||
80 | <P>This cannot be protected against by any known | |
81 | software. The <CODE>MaxClientsPerHost</CODE> directive | |
82 | can be used to configure CUPS to limit the number of | |
83 | connections allowed from a single host, however that does | |
84 | not prevent a distributed attack.</P> | |
85 | ||
86 | <P><B>Recommendation:</B> Limit access to trusted systems | |
87 | and networks.</P></LI> | |
88 | ||
89 | <LI>Repeatedly opening and closing connections to the | |
90 | server as fast as possible. | |
91 | ||
92 | <P>There is no easy way of protecting against this in the | |
93 | CUPS software. If the attack is coming from outside the | |
94 | local network, it may be possible to filter such an | |
95 | attack. However, once the connection request has been | |
96 | received by the server it must at least accept the | |
97 | connection to find out who is connecting.</P> | |
98 | ||
99 | <P><B>Recommendation:</B> None.</P></LI> | |
100 | ||
101 | <LI>Flooding the network with broadcast packets on port | |
102 | 631. | |
103 | ||
104 | <P>It might be possible to disable browsing if this | |
105 | condition is detected by the CUPS software, however if | |
106 | there are large numbers of printers available on the | |
107 | network such an algorithm might think that an attack was | |
108 | occurring when instead a valid update was being | |
109 | received.</P> | |
110 | ||
111 | <P><B>Recommendation:</B> Block browse packets from | |
112 | foreign or untrusted networks using a router or | |
113 | firewall.</P></LI> | |
114 | ||
115 | <LI>Sending partial IPP requests; specifically, sending | |
116 | part of an attribute value and then stopping | |
117 | transmission. | |
118 | ||
119 | <P>The current code will wait up to 1 second before | |
120 | timing out the partial value and closing the connection. | |
121 | This will slow the server responses to valid requests and | |
122 | may lead to dropped browsing packets, but will otherwise | |
123 | not affect the operation of the server.</P> | |
124 | ||
125 | <P><B>Recommendation:</B> Block IPP packets from foreign | |
126 | or untrusted networks using a router or | |
127 | firewall.</P></LI> | |
128 | ||
129 | <LI>Sending large/long print jobs to printers, preventing | |
130 | other users from printing. | |
131 | ||
132 | <P>There are limited facilities for protecting against | |
133 | large print jobs (the <CODE>MaxRequestSize</CODE> | |
134 | attribute), however this will not protect printers from | |
135 | malicious users and print files that generate hundreds or | |
136 | thousands of pages.</P> | |
137 | ||
138 | <P><B>Recommendation:</B> Restrict printer access to | |
139 | known hosts or networks, and add user-level access | |
140 | controls as needed for expensive printers.</P></LI> | |
141 | ||
142 | </OL> | |
143 | ||
144 | <H2 CLASS="title"><A NAME="ENCRYPTION">Encryption Issues</A></H2> | |
145 | ||
146 | <P>CUPS supports 128-bit SSL 3.0 and TLS 1.0 encryption of | |
147 | network connections via the OpenSSL, GNU TLS, and CDSA encryption | |
148 | libraries. In additional to the potential security issues posed | |
149 | by the SSL and TLS protocols, CUPS currently has the following | |
150 | additional issue:</P> | |
151 | ||
152 | <OL> | |
153 | ||
154 | <LI>Certification validation/revocation; currently CUPS | |
155 | does not validate or revoke server or client certificates | |
156 | when establishing a secure connection. This can | |
157 | potentially lead to "man in the middle" and | |
158 | impersonation/spoofing attacks over unsecured networks. | |
159 | Future versions of CUPS will support both validation and | |
160 | revocation of server certificates. | |
161 | ||
162 | <P><B>Recommendation:</B> Do not depend on encryption for | |
163 | security when connecting to servers over the Internet or | |
164 | untrusted WAN links.</P></LI> | |
165 | ||
166 | </OL> | |
167 | ||
168 | </BODY> | |
169 | </HTML> |