]>
Commit | Line | Data |
---|---|---|
902da432 | 1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> |
c8475f2d | 2 | <HTML> |
3 | <HEAD> | |
7159de3d | 4 | <TITLE>CUPS Software Security Report</TITLE> |
baee2cec | 5 | <META NAME="author" CONTENT="Easy Software Products"> |
6 | <META NAME="copyright" CONTENT="Copyright 1997-2001, All Rights Reserved"> | |
7 | <META NAME="docnumber" CONTENT="CUPS-SSR-1.1"> | |
8 | <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1"> | |
9 | <STYLE TYPE="text/css"><!-- | |
7159de3d | 10 | BODY { font-family: serif } |
11 | H1 { font-family: sans-serif } | |
12 | H2 { font-family: sans-serif } | |
13 | H3 { font-family: sans-serif } | |
14 | H4 { font-family: sans-serif } | |
15 | H5 { font-family: sans-serif } | |
16 | H6 { font-family: sans-serif } | |
17 | SUB { font-size: smaller } | |
18 | SUP { font-size: smaller } | |
19 | PRE { font-family: monospace } | |
baee2cec | 20 | --></STYLE> |
c8475f2d | 21 | </HEAD> |
22 | <BODY> | |
7159de3d | 23 | <CENTER><A HREF="#CONTENTS"><IMG SRC="images/cups-large.gif" BORDER="0" WIDTH="431" HEIGHT="511"><BR> |
24 | <H1>CUPS Software Security Report</H1></A><BR> | |
1aee2644 | 25 | CUPS-SSR-1.1<BR> |
6a921799 | 26 | Easy Software Products<BR> |
d0e6f0a0 | 27 | Copyright 1997-2001, All Rights Reserved<BR> |
6a921799 | 28 | </CENTER> |
29 | <HR> | |
902da432 | 30 | <H1 ALIGN="CENTER"><A NAME="CONTENTS">Table of Contents</A></H1> |
6a921799 | 31 | <BR> |
e2e7c96e | 32 | <BR><B><A HREF="#1">1 Scope</A></B> |
6a921799 | 33 | <UL> |
e2e7c96e | 34 | <LI><A HREF="#1_1">1.1 Identification</A></LI> |
35 | <LI><A HREF="#1_2">1.2 System Overview</A></LI> | |
36 | <LI><A HREF="#1_3">1.3 Document Overview</A></LI> | |
6a921799 | 37 | </UL> |
e2e7c96e | 38 | <B><A HREF="#2">2 References</A></B> |
6a921799 | 39 | <UL> |
e2e7c96e | 40 | <LI><A HREF="#2_1">2.1 CUPS Documentation</A></LI> |
41 | <LI><A HREF="#2_2">2.2 Other Documents</A></LI> | |
6a921799 | 42 | </UL> |
e2e7c96e | 43 | <B><A HREF="#3">3 Local Access Risks</A></B> |
6a921799 | 44 | <UL> |
e2e7c96e | 45 | <LI><A HREF="#3_1">3.1 Security Breaches</A></LI> |
9da2dc55 | 46 | </UL> |
e2e7c96e | 47 | <B><A HREF="#4">4 Remote Access Risks</A></B> |
01b16b02 | 48 | <UL> |
e2e7c96e | 49 | <LI><A HREF="#4_1">4.1 Denial of Service Attacks</A></LI> |
50 | <LI><A HREF="#4_2">4.2 Security Breaches</A></LI> | |
4ce43341 | 51 | </UL> |
e2e7c96e | 52 | <B><A HREF="#5">A Glossary</A></B> |
4ce43341 | 53 | <UL> |
e2e7c96e | 54 | <LI><A HREF="#5_1">A.1 Terms</A></LI> |
55 | <LI><A HREF="#5_2">A.2 Acronyms</A></LI> | |
6a921799 | 56 | </UL> |
6a921799 | 57 | <HR> |
e2e7c96e | 58 | <H1><A NAME="1">1 Scope</A></H1> |
59 | <H2><A NAME="1_1">1.1 Identification</A></H2> | |
7159de3d | 60 | <P>This software security report provides an analysis of possible |
61 | security concerns for the Common UNIX Printing System ("CUPS") Version | |
62 | 1.1.</P> | |
e2e7c96e | 63 | <H2><A NAME="1_2">1.2 System Overview</A></H2> |
7159de3d | 64 | <P>CUPS provides a portable printing layer for UNIX®-based operating |
65 | systems. It has been developed by<A HREF="http://www.easysw.com"> Easy | |
66 | Software Products</A> to promote a standard printing solution for all | |
67 | UNIX vendors and users. CUPS provides the System V and Berkeley | |
68 | command-line interfaces.</P> | |
69 | <P>CUPS uses the Internet Printing Protocol ("IPP") as the basis for | |
70 | managing print jobs and queues. The Line Printer Daemon ("LPD") Server | |
71 | Message Block ("SMB"), and AppSocket (a.k.a. JetDirect) protocols are | |
72 | also supported with reduced functionality. CUPS adds network printer | |
73 | browsing and PostScript Printer Description ("PPD") based printing | |
74 | options to support real-world printing under UNIX.</P> | |
75 | <P>CUPS also includes a customized version of GNU Ghostscript (currently | |
76 | based off GNU Ghostscript 5.50) and an image file RIP that are used to | |
77 | support non-PostScript printers. Sample drivers for HP and EPSON | |
78 | printers are included that use these filters.</P> | |
e2e7c96e | 79 | <H2><A NAME="1_3">1.3 Document Overview</A></H2> |
7159de3d | 80 | <P>This software security report is organized into the following |
81 | sections:</P> | |
6a921799 | 82 | <UL> |
e2e7c96e | 83 | <LI>1 - Scope</LI> |
84 | <LI>2 - References</LI> | |
85 | <LI>3 - Local Access Risks</LI> | |
86 | <LI>4 - Remote Access Risks</LI> | |
87 | <LI>A - Glossary</LI> | |
6a921799 | 88 | </UL> |
e2e7c96e | 89 | <H1><A NAME="2">2 References</A></H1> |
90 | <H2><A NAME="2_1">2.1 CUPS Documentation</A></H2> | |
7159de3d | 91 | <P>The following CUPS documentation is referenced by this document:</P> |
6a921799 | 92 | <UL> |
7159de3d | 93 | <LI>CUPS-CMP-1.1: CUPS Configuration Management Plan</LI> |
94 | <LI>CUPS-IDD-1.1: CUPS System Interface Design Description</LI> | |
95 | <LI>CUPS-IPP-1.1: CUPS Implementation of IPP</LI> | |
96 | <LI>CUPS-SAM-1.1.x: CUPS Software Administrators Manual</LI> | |
97 | <LI>CUPS-SDD-1.1: CUPS Software Design Description</LI> | |
98 | <LI>CUPS-SPM-1.1.x: CUPS Software Programming Manual</LI> | |
99 | <LI>CUPS-SSR-1.1: CUPS Software Security Report</LI> | |
100 | <LI>CUPS-STP-1.1: CUPS Software Test Plan</LI> | |
101 | <LI>CUPS-SUM-1.1.x: CUPS Software Users Manual</LI> | |
102 | <LI>CUPS-SVD-1.1: CUPS Software Version Description</LI> | |
6a921799 | 103 | </UL> |
e2e7c96e | 104 | <H2><A NAME="2_2">2.2 Other Documents</A></H2> |
7159de3d | 105 | <P>The following non-CUPS documents are referenced by this document:</P> |
6a921799 | 106 | <UL> |
551d3a88 | 107 | <LI><A HREF="http://partners.adobe.com/asn/developer/PDFS/TN/5003.PPD_Spec_v4.3.pdf"> |
7159de3d | 108 | Adobe PostScript Printer Description File Format Specification, Version |
109 | 4.3.</A></LI> | |
551d3a88 | 110 | <LI><A HREF="http://partners.adobe.com/asn/developer/PDFS/TN/PLRM.pdf"> |
7159de3d | 111 | Adobe PostScript Language Reference, Third Edition.</A></LI> |
112 | <LI>IPP: Job and Printer Set Operations</LI> | |
113 | <LI>IPP/1.1: Encoding and Transport</LI> | |
114 | <LI>IPP/1.1: Implementers Guide</LI> | |
115 | <LI>IPP/1.1: Model and Semantics</LI> | |
116 | <LI><A HREF="http://www.ietf.org/rfc/rfc1179.txt">RFC 1179, Line Printer | |
117 | Daemon Protocol</A></LI> | |
118 | <LI><A HREF="http://www.ietf.org/rfc/rfc2567.txt">RFC 2567, Design Goals | |
119 | for an Internet Printing Protocol</A></LI> | |
120 | <LI><A HREF="http://www.ietf.org/rfc/rfc2568.txt">RFC 2568, Rationale | |
121 | for the Structure of the Model and Protocol</A> for the Internet | |
122 | Printing Protocol</LI> | |
123 | <LI><A HREF="http://www.ietf.org/rfc/rfc2569.txt">RFC 2569, Mapping | |
124 | between LPD and IPP Protocols</A></LI> | |
125 | <LI><A HREF="http://www.ietf.org/rfc/rfc2616.txt">RFC 2616, Hypertext | |
126 | Transfer Protocol -- HTTP/1.1</A></LI> | |
127 | <LI><A HREF="http://www.ietf.org/rfc/rfc2617.txt">RFC 2617, HTTP | |
128 | Authentication: Basic and Digest Access</A> Authentication</LI> | |
6a921799 | 129 | </UL> |
e2e7c96e | 130 | <H1><A NAME="3">3 Local Access Risks</A></H1> |
7159de3d | 131 | <P>Local access risks are those that can be exploited only with a local |
132 | user account. This section does not address issues related to | |
133 | dissemination of the root password or other security issues associated | |
134 | with the UNIX operating system.</P> | |
e2e7c96e | 135 | <H2><A NAME="3_1">3.1 Security Breaches</A></H2> |
7159de3d | 136 | <P>There is one known security vulnerability with local access:</P> |
78021ed9 | 137 | <OL> |
7159de3d | 138 | <LI>Device URIs are passed to backend filters in argv[0] and in an |
139 | environment variable. Since device URIs can contain usernames and | |
140 | passwords it may be possible for a local user to gain access to a | |
141 | remote resource.</LI> | |
142 | <P>We recommend that any password-protected accounts used for remote | |
143 | printing have limited access priviledges so that the possible damages | |
144 | can be minimized.</P> | |
145 | <P>The device URI is "sanitized" (the username and password are removed) | |
146 | when sent to an IPP client so that a remote user cannot exploit this | |
147 | vulnerability.</P> | |
78021ed9 | 148 | </OL> |
e2e7c96e | 149 | <H1><A NAME="4">4 Remote Access Risks</A></H1> |
7159de3d | 150 | <P>Remote access risks are those that can be exploited without a local |
151 | user account and/or from a remote system. This section does not address | |
152 | issues related to network or firewall security.</P> | |
e2e7c96e | 153 | <H2><A NAME="4_1">4.1 Denial of Service Attacks</A></H2> |
7159de3d | 154 | <P>Like all Internet services, the CUPS server is vulnerable to denial |
155 | of service attacks, including:</P> | |
9da2dc55 | 156 | <OL> |
7159de3d | 157 | <LI>Establishing multiple connections to the server until the server |
158 | will accept no more.</LI> | |
159 | <P>This cannot be protected against by the current software. It is | |
160 | possible that future versions of the CUPS software could be configured | |
161 | to limit the number of connections allowed from a single host, however | |
162 | that still would not prevent a distributed attack.</P> | |
163 | <LI>Repeatedly opening and closing connections to the server as fast as | |
164 | possible.</LI> | |
165 | <P>There is no easy way of protecting against this in the CUPS software. | |
166 | If the attack is coming from outside the local network it might be | |
167 | possible to filter such an attack, however once the connection request | |
168 | has been received by the server it must at least accept the connection | |
169 | to find out who is connecting.</P> | |
170 | <LI>Flooding the network with broadcast packets on port 631.</LI> | |
171 | <P>It might be possible to disable browsing if this condition is | |
172 | detected by the CUPS software, however if there are large numbers of | |
173 | printers available on the network such an algorithm might think that an | |
174 | attack was occurring when instead a valid update was being received.</P> | |
175 | <LI>Sending partial IPP requests; specifically, sending part of an | |
176 | attribute value and then stopping transmission.</LI> | |
177 | <P>The current code is structured to read and write the IPP request data | |
178 | on-the-fly, so there is no easy way to protect against this for large | |
179 | attribute values.</P> | |
180 | <LI>Sending large/long print jobs to printers, preventing other users | |
181 | from printing.</LI> | |
182 | <P>There are limited facilities for protecting against large print jobs | |
183 | (the <CODE>MaxRequestSize</CODE> attribute), however this will not | |
184 | protect printers from malicious users and print files that generate | |
185 | hundreds or thousands of pages. In general, we recommend restricting | |
186 | printer access to known hosts or networks, and adding user-level access | |
187 | control as needed for expensive printers.</P> | |
9da2dc55 | 188 | </OL> |
e2e7c96e | 189 | <H2><A NAME="4_2">4.2 Security Breaches</A></H2> |
7159de3d | 190 | <P>The current CUPS server supports Basic, Digest, and local certificate |
191 | authentication:</P> | |
4ce43341 | 192 | <OL> |
7159de3d | 193 | <LI>Basic authentication essentially places the clear text of the |
194 | username and password on the network. Since CUPS uses the UNIX username | |
195 | and password account information, the authentication information could | |
196 | be used to gain access to accounts (possibly priviledged accounts) on | |
197 | the server.</LI> | |
198 | <LI>Digest authentication uses an MD5 checksum of the username, | |
199 | password, and domain ("CUPS"), so the original username and password is | |
200 | not sent over the network. However, the current implementation does not | |
201 | authenticate the entire message and uses the client's IP address for | |
202 | the nonce value, making it possible to launch "man in the middle" and | |
203 | replay attacks from the same client. The next minor release of CUPS | |
204 | will support Digest authentication of the entire message body, | |
205 | effectively stopping these methods of attack.</LI> | |
206 | <LI>Local certificate authentication passes 128-bit "certificates" that | |
207 | identify an authenticated user. Certificates are created on-the-fly | |
208 | from random data and stored in files under <CODE>/etc/cups/certs</CODE> | |
209 | . They have restricted read permissions: root + system for the root | |
210 | certificate, and lp + system for CGI certificates. Because certificates | |
211 | are only available on the local system, the CUPS server does not accept | |
212 | local authentication unless the client is connected to the localhost | |
213 | address (127.0.0.1.)</LI> | |
4ce43341 | 214 | </OL> |
7159de3d | 215 | <P>The default CUPS configuration disables remote administration. We do |
216 | not recommend that remote administration be enabled for all hosts. | |
217 | However, if you have a trusted network or subnet, access can be | |
218 | restricted accordingly. Also, we highly recommend using Digest | |
219 | authentication when possible. Unfortunately, most web browsers do not | |
220 | support Digest authentication at this time.</P> | |
e2e7c96e | 221 | <H1 TYPE="A" VALUE="1"><A NAME="5">A Glossary</A></H1> |
222 | <H2><A NAME="5_1">A.1 Terms</A></H2> | |
4ce43341 | 223 | <DL> |
7159de3d | 224 | <DT>C</DT> |
225 | <DD>A computer language.</DD> | |
226 | <DT>parallel</DT> | |
227 | <DD>Sending or receiving data more than 1 bit at a time.</DD> | |
228 | <DT>pipe</DT> | |
229 | <DD>A one-way communications channel between two programs.</DD> | |
230 | <DT>serial</DT> | |
231 | <DD>Sending or receiving data 1 bit at a time.</DD> | |
232 | <DT>socket</DT> | |
233 | <DD>A two-way network communications channel.</DD> | |
4ce43341 | 234 | </DL> |
e2e7c96e | 235 | <H2><A NAME="5_2">A.2 Acronyms</A></H2> |
4ce43341 | 236 | <DL> |
7159de3d | 237 | <DT>ASCII</DT> |
238 | <DD>American Standard Code for Information Interchange</DD> | |
239 | <DT>CUPS</DT> | |
240 | <DD>Common UNIX Printing System</DD> | |
241 | <DT>ESC/P</DT> | |
242 | <DD>EPSON Standard Code for Printers</DD> | |
243 | <DT>FTP</DT> | |
244 | <DD>File Transfer Protocol</DD> | |
245 | <DT>HP-GL</DT> | |
246 | <DD>Hewlett-Packard Graphics Language</DD> | |
247 | <DT>HP-PCL</DT> | |
248 | <DD>Hewlett-Packard Page Control Language</DD> | |
249 | <DT>HP-PJL</DT> | |
250 | <DD>Hewlett-Packard Printer Job Language</DD> | |
251 | <DT>IETF</DT> | |
252 | <DD>Internet Engineering Task Force</DD> | |
253 | <DT>IPP</DT> | |
254 | <DD>Internet Printing Protocol</DD> | |
255 | <DT>ISO</DT> | |
256 | <DD>International Standards Organization</DD> | |
257 | <DT>LPD</DT> | |
258 | <DD>Line Printer Daemon</DD> | |
259 | <DT>MIME</DT> | |
260 | <DD>Multimedia Internet Mail Exchange</DD> | |
261 | <DT>PPD</DT> | |
262 | <DD>PostScript Printer Description</DD> | |
263 | <DT>SMB</DT> | |
264 | <DD>Server Message Block</DD> | |
265 | <DT>TFTP</DT> | |
266 | <DD>Trivial File Transfer Protocol</DD> | |
4ce43341 | 267 | </DL> |
c8475f2d | 268 | </BODY> |
269 | </HTML> |