]> git.ipfire.org Git - thirdparty/cups.git/blame - doc/ssr.html
projects / thirdparty / cups.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Doco updates...
[thirdparty/cups.git] / doc / ssr.html
CommitLineData
902da432 1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
c8475f2d 2<HTML>
3<HEAD>
7159de3d 4<TITLE>CUPS Software Security Report</TITLE>
baee2cec 5<META NAME="author" CONTENT="Easy Software Products">
6<META NAME="copyright" CONTENT="Copyright 1997-2001, All Rights Reserved">
7<META NAME="docnumber" CONTENT="CUPS-SSR-1.1">
8<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
9<STYLE TYPE="text/css"><!--
7159de3d 10BODY { font-family: serif }
11H1 { font-family: sans-serif }
12H2 { font-family: sans-serif }
13H3 { font-family: sans-serif }
14H4 { font-family: sans-serif }
15H5 { font-family: sans-serif }
16H6 { font-family: sans-serif }
17SUB { font-size: smaller }
18SUP { font-size: smaller }
19PRE { font-family: monospace }
baee2cec 20--></STYLE>
c8475f2d 21</HEAD>
22<BODY>
7159de3d 23<CENTER><A HREF="#CONTENTS"><IMG SRC="images/cups-large.gif" BORDER="0" WIDTH="431" HEIGHT="511"><BR>
24<H1>CUPS Software Security Report</H1></A><BR>
1aee2644 25CUPS-SSR-1.1<BR>
6a921799 26Easy Software Products<BR>
d0e6f0a0 27Copyright 1997-2001, All Rights Reserved<BR>
6a921799 28</CENTER>
29<HR>
902da432 30<H1 ALIGN="CENTER"><A NAME="CONTENTS">Table of Contents</A></H1>
6a921799 31<BR>
e2e7c96e 32<BR><B><A HREF="#1">1 Scope</A></B>
6a921799 33<UL>
e2e7c96e 34<LI><A HREF="#1_1">1.1 Identification</A></LI>
35<LI><A HREF="#1_2">1.2 System Overview</A></LI>
36<LI><A HREF="#1_3">1.3 Document Overview</A></LI>
6a921799 37</UL>
e2e7c96e 38<B><A HREF="#2">2 References</A></B>
6a921799 39<UL>
e2e7c96e 40<LI><A HREF="#2_1">2.1 CUPS Documentation</A></LI>
41<LI><A HREF="#2_2">2.2 Other Documents</A></LI>
6a921799 42</UL>
e2e7c96e 43<B><A HREF="#3">3 Local Access Risks</A></B>
6a921799 44<UL>
e2e7c96e 45<LI><A HREF="#3_1">3.1 Security Breaches</A></LI>
9da2dc55 46</UL>
e2e7c96e 47<B><A HREF="#4">4 Remote Access Risks</A></B>
01b16b02 48<UL>
e2e7c96e 49<LI><A HREF="#4_1">4.1 Denial of Service Attacks</A></LI>
50<LI><A HREF="#4_2">4.2 Security Breaches</A></LI>
4ce43341 51</UL>
e2e7c96e 52<B><A HREF="#5">A Glossary</A></B>
4ce43341 53<UL>
e2e7c96e 54<LI><A HREF="#5_1">A.1 Terms</A></LI>
55<LI><A HREF="#5_2">A.2 Acronyms</A></LI>
6a921799 56</UL>
6a921799 57<HR>
e2e7c96e 58<H1><A NAME="1">1 Scope</A></H1>
59<H2><A NAME="1_1">1.1 Identification</A></H2>
7159de3d 60<P>This software security report provides an analysis of possible
61 security concerns for the Common UNIX Printing System (&quot;CUPS&quot;) Version
62 1.1.</P>
e2e7c96e 63<H2><A NAME="1_2">1.2 System Overview</A></H2>
7159de3d 64<P>CUPS provides a portable printing layer for UNIX&reg;-based operating
65 systems. It has been developed by<A HREF="http://www.easysw.com"> Easy
66 Software Products</A> to promote a standard printing solution for all
67 UNIX vendors and users. CUPS provides the System V and Berkeley
68 command-line interfaces.</P>
69<P>CUPS uses the Internet Printing Protocol (&quot;IPP&quot;) as the basis for
70 managing print jobs and queues. The Line Printer Daemon (&quot;LPD&quot;) Server
71 Message Block (&quot;SMB&quot;), and AppSocket (a.k.a. JetDirect) protocols are
72 also supported with reduced functionality. CUPS adds network printer
73 browsing and PostScript Printer Description (&quot;PPD&quot;) based printing
74 options to support real-world printing under UNIX.</P>
75<P>CUPS also includes a customized version of GNU Ghostscript (currently
76 based off GNU Ghostscript 5.50) and an image file RIP that are used to
77 support non-PostScript printers. Sample drivers for HP and EPSON
78 printers are included that use these filters.</P>
e2e7c96e 79<H2><A NAME="1_3">1.3 Document Overview</A></H2>
7159de3d 80<P>This software security report is organized into the following
81 sections:</P>
6a921799 82<UL>
e2e7c96e 83<LI>1 - Scope</LI>
84<LI>2 - References</LI>
85<LI>3 - Local Access Risks</LI>
86<LI>4 - Remote Access Risks</LI>
87<LI>A - Glossary</LI>
6a921799 88</UL>
e2e7c96e 89<H1><A NAME="2">2 References</A></H1>
90<H2><A NAME="2_1">2.1 CUPS Documentation</A></H2>
7159de3d 91<P>The following CUPS documentation is referenced by this document:</P>
6a921799 92<UL>
7159de3d 93<LI>CUPS-CMP-1.1: CUPS Configuration Management Plan</LI>
94<LI>CUPS-IDD-1.1: CUPS System Interface Design Description</LI>
95<LI>CUPS-IPP-1.1: CUPS Implementation of IPP</LI>
96<LI>CUPS-SAM-1.1.x: CUPS Software Administrators Manual</LI>
97<LI>CUPS-SDD-1.1: CUPS Software Design Description</LI>
98<LI>CUPS-SPM-1.1.x: CUPS Software Programming Manual</LI>
99<LI>CUPS-SSR-1.1: CUPS Software Security Report</LI>
100<LI>CUPS-STP-1.1: CUPS Software Test Plan</LI>
101<LI>CUPS-SUM-1.1.x: CUPS Software Users Manual</LI>
102<LI>CUPS-SVD-1.1: CUPS Software Version Description</LI>
6a921799 103</UL>
e2e7c96e 104<H2><A NAME="2_2">2.2 Other Documents</A></H2>
7159de3d 105<P>The following non-CUPS documents are referenced by this document:</P>
6a921799 106<UL>
551d3a88 107<LI><A HREF="http://partners.adobe.com/asn/developer/PDFS/TN/5003.PPD_Spec_v4.3.pdf">
7159de3d 108Adobe PostScript Printer Description File Format Specification, Version
109 4.3.</A></LI>
551d3a88 110<LI><A HREF="http://partners.adobe.com/asn/developer/PDFS/TN/PLRM.pdf">
7159de3d 111Adobe PostScript Language Reference, Third Edition.</A></LI>
112<LI>IPP: Job and Printer Set Operations</LI>
113<LI>IPP/1.1: Encoding and Transport</LI>
114<LI>IPP/1.1: Implementers Guide</LI>
115<LI>IPP/1.1: Model and Semantics</LI>
116<LI><A HREF="http://www.ietf.org/rfc/rfc1179.txt">RFC 1179, Line Printer
117 Daemon Protocol</A></LI>
118<LI><A HREF="http://www.ietf.org/rfc/rfc2567.txt">RFC 2567, Design Goals
119 for an Internet Printing Protocol</A></LI>
120<LI><A HREF="http://www.ietf.org/rfc/rfc2568.txt">RFC 2568, Rationale
121 for the Structure of the Model and Protocol</A> for the Internet
122 Printing Protocol</LI>
123<LI><A HREF="http://www.ietf.org/rfc/rfc2569.txt">RFC 2569, Mapping
124 between LPD and IPP Protocols</A></LI>
125<LI><A HREF="http://www.ietf.org/rfc/rfc2616.txt">RFC 2616, Hypertext
126 Transfer Protocol -- HTTP/1.1</A></LI>
127<LI><A HREF="http://www.ietf.org/rfc/rfc2617.txt">RFC 2617, HTTP
128 Authentication: Basic and Digest Access</A> Authentication</LI>
6a921799 129</UL>
e2e7c96e 130<H1><A NAME="3">3 Local Access Risks</A></H1>
7159de3d 131<P>Local access risks are those that can be exploited only with a local
132 user account. This section does not address issues related to
133 dissemination of the root password or other security issues associated
134 with the UNIX operating system.</P>
e2e7c96e 135<H2><A NAME="3_1">3.1 Security Breaches</A></H2>
7159de3d 136<P>There is one known security vulnerability with local access:</P>
78021ed9 137<OL>
7159de3d 138<LI>Device URIs are passed to backend filters in argv[0] and in an
139 environment variable. Since device URIs can contain usernames and
140 passwords it may be possible for a local user to gain access to a
141 remote resource.</LI>
142<P>We recommend that any password-protected accounts used for remote
143 printing have limited access priviledges so that the possible damages
144 can be minimized.</P>
145<P>The device URI is &quot;sanitized&quot; (the username and password are removed)
146 when sent to an IPP client so that a remote user cannot exploit this
147 vulnerability.</P>
78021ed9 148</OL>
e2e7c96e 149<H1><A NAME="4">4 Remote Access Risks</A></H1>
7159de3d 150<P>Remote access risks are those that can be exploited without a local
151 user account and/or from a remote system. This section does not address
152 issues related to network or firewall security.</P>
e2e7c96e 153<H2><A NAME="4_1">4.1 Denial of Service Attacks</A></H2>
7159de3d 154<P>Like all Internet services, the CUPS server is vulnerable to denial
155 of service attacks, including:</P>
9da2dc55 156<OL>
7159de3d 157<LI>Establishing multiple connections to the server until the server
158 will accept no more.</LI>
159<P>This cannot be protected against by the current software. It is
160 possible that future versions of the CUPS software could be configured
161 to limit the number of connections allowed from a single host, however
162 that still would not prevent a distributed attack.</P>
163<LI>Repeatedly opening and closing connections to the server as fast as
164 possible.</LI>
165<P>There is no easy way of protecting against this in the CUPS software.
166 If the attack is coming from outside the local network it might be
167 possible to filter such an attack, however once the connection request
168 has been received by the server it must at least accept the connection
169 to find out who is connecting.</P>
170<LI>Flooding the network with broadcast packets on port 631.</LI>
171<P>It might be possible to disable browsing if this condition is
172 detected by the CUPS software, however if there are large numbers of
173 printers available on the network such an algorithm might think that an
174 attack was occurring when instead a valid update was being received.</P>
175<LI>Sending partial IPP requests; specifically, sending part of an
176 attribute value and then stopping transmission.</LI>
177<P>The current code is structured to read and write the IPP request data
178 on-the-fly, so there is no easy way to protect against this for large
179 attribute values.</P>
180<LI>Sending large/long print jobs to printers, preventing other users
181 from printing.</LI>
182<P>There are limited facilities for protecting against large print jobs
183 (the <CODE>MaxRequestSize</CODE> attribute), however this will not
184 protect printers from malicious users and print files that generate
185 hundreds or thousands of pages. In general, we recommend restricting
186 printer access to known hosts or networks, and adding user-level access
187 control as needed for expensive printers.</P>
9da2dc55 188</OL>
e2e7c96e 189<H2><A NAME="4_2">4.2 Security Breaches</A></H2>
7159de3d 190<P>The current CUPS server supports Basic, Digest, and local certificate
191 authentication:</P>
4ce43341 192<OL>
7159de3d 193<LI>Basic authentication essentially places the clear text of the
194 username and password on the network. Since CUPS uses the UNIX username
195 and password account information, the authentication information could
196 be used to gain access to accounts (possibly priviledged accounts) on
197 the server.</LI>
198<LI>Digest authentication uses an MD5 checksum of the username,
199 password, and domain (&quot;CUPS&quot;), so the original username and password is
200 not sent over the network. However, the current implementation does not
201 authenticate the entire message and uses the client's IP address for
202 the nonce value, making it possible to launch &quot;man in the middle&quot; and
203 replay attacks from the same client. The next minor release of CUPS
204 will support Digest authentication of the entire message body,
205 effectively stopping these methods of attack.</LI>
206<LI>Local certificate authentication passes 128-bit &quot;certificates&quot; that
207 identify an authenticated user. Certificates are created on-the-fly
208 from random data and stored in files under <CODE>/etc/cups/certs</CODE>
209. They have restricted read permissions: root + system for the root
210 certificate, and lp + system for CGI certificates. Because certificates
211 are only available on the local system, the CUPS server does not accept
212 local authentication unless the client is connected to the localhost
213 address (127.0.0.1.)</LI>
4ce43341 214</OL>
7159de3d 215<P>The default CUPS configuration disables remote administration. We do
216 not recommend that remote administration be enabled for all hosts.
217 However, if you have a trusted network or subnet, access can be
218 restricted accordingly. Also, we highly recommend using Digest
219 authentication when possible. Unfortunately, most web browsers do not
220 support Digest authentication at this time.</P>
e2e7c96e 221<H1 TYPE="A" VALUE="1"><A NAME="5">A Glossary</A></H1>
222<H2><A NAME="5_1">A.1 Terms</A></H2>
4ce43341 223<DL>
7159de3d 224<DT>C</DT>
225<DD>A computer language.</DD>
226<DT>parallel</DT>
227<DD>Sending or receiving data more than 1 bit at a time.</DD>
228<DT>pipe</DT>
229<DD>A one-way communications channel between two programs.</DD>
230<DT>serial</DT>
231<DD>Sending or receiving data 1 bit at a time.</DD>
232<DT>socket</DT>
233<DD>A two-way network communications channel.</DD>
4ce43341 234</DL>
e2e7c96e 235<H2><A NAME="5_2">A.2 Acronyms</A></H2>
4ce43341 236<DL>
7159de3d 237<DT>ASCII</DT>
238<DD>American Standard Code for Information Interchange</DD>
239<DT>CUPS</DT>
240<DD>Common UNIX Printing System</DD>
241<DT>ESC/P</DT>
242<DD>EPSON Standard Code for Printers</DD>
243<DT>FTP</DT>
244<DD>File Transfer Protocol</DD>
245<DT>HP-GL</DT>
246<DD>Hewlett-Packard Graphics Language</DD>
247<DT>HP-PCL</DT>
248<DD>Hewlett-Packard Page Control Language</DD>
249<DT>HP-PJL</DT>
250<DD>Hewlett-Packard Printer Job Language</DD>
251<DT>IETF</DT>
252<DD>Internet Engineering Task Force</DD>
253<DT>IPP</DT>
254<DD>Internet Printing Protocol</DD>
255<DT>ISO</DT>
256<DD>International Standards Organization</DD>
257<DT>LPD</DT>
258<DD>Line Printer Daemon</DD>
259<DT>MIME</DT>
260<DD>Multimedia Internet Mail Exchange</DD>
261<DT>PPD</DT>
262<DD>PostScript Printer Description</DD>
263<DT>SMB</DT>
264<DD>Server Message Block</DD>
265<DT>TFTP</DT>
266<DD>Trivial File Transfer Protocol</DD>
4ce43341 267</DL>
c8475f2d 268</BODY>
269</HTML>
Unnamed repository; edit this file 'description' to name the repository.