]>
Commit | Line | Data |
---|---|---|
902da432 | 1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> |
c8475f2d | 2 | <HTML> |
3 | <HEAD> | |
4ce43341 | 4 | <TITLE> CUPS Software Security Report</TITLE> |
baee2cec | 5 | <META NAME="author" CONTENT="Easy Software Products"> |
6 | <META NAME="copyright" CONTENT="Copyright 1997-2001, All Rights Reserved"> | |
7 | <META NAME="docnumber" CONTENT="CUPS-SSR-1.1"> | |
8 | <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1"> | |
9 | <STYLE TYPE="text/css"><!-- | |
902da432 | 10 | BODY { font-family: serif; font-size: 11.0pt } |
30eb152d | 11 | H1 { font-family: sans-serif; font-size: 20.0pt } |
3d9e2586 | 12 | H2 { font-family: sans-serif; font-size: 17.0pt } |
13 | H3 { font-family: sans-serif; font-size: 14.0pt } | |
14 | H4 { font-family: sans-serif; font-size: 11.0pt } | |
15 | H5 { font-family: sans-serif; font-size: 9.0pt } | |
16 | H6 { font-family: sans-serif; font-size: 8.0pt } | |
30eb152d | 17 | SUB { font-size: 8.0pt } |
18 | SUP { font-size: 8.0pt } | |
19 | PRE { font-size: 9.0pt } | |
baee2cec | 20 | --></STYLE> |
c8475f2d | 21 | </HEAD> |
22 | <BODY> | |
4ce43341 | 23 | <CENTER><A HREF="#CONTENTS"><IMG SRC="images/cups-large.gif" BORDER="0" WIDTH="100%"><BR> |
24 | <H1> CUPS Software Security Report</H1></A><BR> | |
1aee2644 | 25 | CUPS-SSR-1.1<BR> |
6a921799 | 26 | Easy Software Products<BR> |
d0e6f0a0 | 27 | Copyright 1997-2001, All Rights Reserved<BR> |
6a921799 | 28 | </CENTER> |
29 | <HR> | |
902da432 | 30 | <H1 ALIGN="CENTER"><A NAME="CONTENTS">Table of Contents</A></H1> |
6a921799 | 31 | <BR> |
e2e7c96e | 32 | <BR><B><A HREF="#1">1 Scope</A></B> |
6a921799 | 33 | <UL> |
e2e7c96e | 34 | <LI><A HREF="#1_1">1.1 Identification</A></LI> |
35 | <LI><A HREF="#1_2">1.2 System Overview</A></LI> | |
36 | <LI><A HREF="#1_3">1.3 Document Overview</A></LI> | |
6a921799 | 37 | </UL> |
e2e7c96e | 38 | <B><A HREF="#2">2 References</A></B> |
6a921799 | 39 | <UL> |
e2e7c96e | 40 | <LI><A HREF="#2_1">2.1 CUPS Documentation</A></LI> |
41 | <LI><A HREF="#2_2">2.2 Other Documents</A></LI> | |
6a921799 | 42 | </UL> |
e2e7c96e | 43 | <B><A HREF="#3">3 Local Access Risks</A></B> |
6a921799 | 44 | <UL> |
e2e7c96e | 45 | <LI><A HREF="#3_1">3.1 Security Breaches</A></LI> |
9da2dc55 | 46 | </UL> |
e2e7c96e | 47 | <B><A HREF="#4">4 Remote Access Risks</A></B> |
01b16b02 | 48 | <UL> |
e2e7c96e | 49 | <LI><A HREF="#4_1">4.1 Denial of Service Attacks</A></LI> |
50 | <LI><A HREF="#4_2">4.2 Security Breaches</A></LI> | |
4ce43341 | 51 | </UL> |
e2e7c96e | 52 | <B><A HREF="#5">A Glossary</A></B> |
4ce43341 | 53 | <UL> |
e2e7c96e | 54 | <LI><A HREF="#5_1">A.1 Terms</A></LI> |
55 | <LI><A HREF="#5_2">A.2 Acronyms</A></LI> | |
6a921799 | 56 | </UL> |
6a921799 | 57 | <HR> |
e2e7c96e | 58 | <H1><A NAME="1">1 Scope</A></H1> |
59 | <H2><A NAME="1_1">1.1 Identification</A></H2> | |
60 | <P>This software security report provides an analysis of possible | |
6a921799 | 61 | security concerns for the Common UNIX Printing System ("CUPS") Version |
551d3a88 | 62 | 1.1.</P> |
e2e7c96e | 63 | <H2><A NAME="1_2">1.2 System Overview</A></H2> |
64 | <P>CUPS provides a portable printing layer for UNIX®-based operating | |
4ce43341 | 65 | systems. It has been developed by <A HREF="http://www.easysw.com">Easy |
66 | Software Products</A> to promote a standard printing solution for all | |
67 | UNIX vendors and users. CUPS provides the System V and Berkeley | |
1aee2644 | 68 | command-line interfaces. </P> |
e2e7c96e | 69 | <P>CUPS uses the Internet Printing Protocol ("IPP") as the basis for |
4ce43341 | 70 | managing print jobs and queues. The Line Printer Daemon ("LPD") Server |
71 | Message Block ("SMB"), and AppSocket (a.k.a. JetDirect) protocols are | |
72 | also supported with reduced functionality. CUPS adds network printer | |
73 | browsing and PostScript Printer Description ("PPD") based printing | |
74 | options to support real-world printing under UNIX. </P> | |
e2e7c96e | 75 | <P>CUPS also includes a customized version of GNU Ghostscript |
4ce43341 | 76 | (currently based off GNU Ghostscript 5.50) and an image file RIP that |
77 | are used to support non-PostScript printers. Sample drivers for HP and | |
78 | EPSON printers are included that use these filters. </P> | |
e2e7c96e | 79 | <H2><A NAME="1_3">1.3 Document Overview</A></H2> |
80 | <P>This software security report is organized into the following | |
6a921799 | 81 | sections:</P> |
82 | <UL> | |
e2e7c96e | 83 | <LI>1 - Scope</LI> |
84 | <LI>2 - References</LI> | |
85 | <LI>3 - Local Access Risks</LI> | |
86 | <LI>4 - Remote Access Risks</LI> | |
87 | <LI>A - Glossary</LI> | |
6a921799 | 88 | </UL> |
e2e7c96e | 89 | <H1><A NAME="2">2 References</A></H1> |
90 | <H2><A NAME="2_1">2.1 CUPS Documentation</A></H2> | |
91 | <P>The following CUPS documentation is referenced by this document: </P> | |
6a921799 | 92 | <UL> |
e2e7c96e | 93 | <LI>CUPS-CMP-1.1: CUPS Configuration Management Plan </LI> |
94 | <LI>CUPS-IDD-1.1: CUPS System Interface Design Description </LI> | |
b7da08c2 | 95 | <LI>CUPS-IPP-1.1: CUPS Implementation of IPP </LI> |
e2e7c96e | 96 | <LI>CUPS-SAM-1.1.x: CUPS Software Administrators Manual </LI> |
97 | <LI>CUPS-SDD-1.1: CUPS Software Design Description </LI> | |
98 | <LI>CUPS-SPM-1.1.x: CUPS Software Programming Manual </LI> | |
99 | <LI>CUPS-SSR-1.1: CUPS Software Security Report </LI> | |
100 | <LI>CUPS-STP-1.1: CUPS Software Test Plan </LI> | |
101 | <LI>CUPS-SUM-1.1.x: CUPS Software Users Manual </LI> | |
102 | <LI>CUPS-SVD-1.1: CUPS Software Version Description </LI> | |
6a921799 | 103 | </UL> |
e2e7c96e | 104 | <H2><A NAME="2_2">2.2 Other Documents</A></H2> |
105 | <P>The following non-CUPS documents are referenced by this document: </P> | |
6a921799 | 106 | <UL> |
551d3a88 | 107 | <LI><A HREF="http://partners.adobe.com/asn/developer/PDFS/TN/5003.PPD_Spec_v4.3.pdf"> |
e2e7c96e | 108 | Adobe PostScript Printer Description File Format Specification, |
551d3a88 | 109 | Version 4.3.</A></LI> |
110 | <LI><A HREF="http://partners.adobe.com/asn/developer/PDFS/TN/PLRM.pdf"> | |
e2e7c96e | 111 | Adobe PostScript Language Reference, Third Edition.</A></LI> |
112 | <LI>IPP: Job and Printer Set Operations </LI> | |
113 | <LI>IPP/1.1: Encoding and Transport </LI> | |
114 | <LI>IPP/1.1: Implementers Guide </LI> | |
115 | <LI>IPP/1.1: Model and Semantics </LI> | |
116 | <LI><A HREF="http://www.ietf.org/rfc/rfc1179.txt">RFC 1179, Line | |
551d3a88 | 117 | Printer Daemon Protocol</A></LI> |
e2e7c96e | 118 | <LI><A HREF="http://www.ietf.org/rfc/rfc2567.txt">RFC 2567, Design |
551d3a88 | 119 | Goals for an Internet Printing Protocol</A></LI> |
e2e7c96e | 120 | <LI><A HREF="http://www.ietf.org/rfc/rfc2568.txt">RFC 2568, Rationale |
551d3a88 | 121 | for the Structure of the Model and Protocol</A> for the Internet |
122 | Printing Protocol</LI> | |
e2e7c96e | 123 | <LI><A HREF="http://www.ietf.org/rfc/rfc2569.txt">RFC 2569, Mapping |
551d3a88 | 124 | between LPD and IPP Protocols</A></LI> |
e2e7c96e | 125 | <LI><A HREF="http://www.ietf.org/rfc/rfc2616.txt">RFC 2616, Hypertext |
551d3a88 | 126 | Transfer Protocol -- HTTP/1.1</A></LI> |
e2e7c96e | 127 | <LI><A HREF="http://www.ietf.org/rfc/rfc2617.txt">RFC 2617, HTTP |
551d3a88 | 128 | Authentication: Basic and Digest Access</A> Authentication </LI> |
6a921799 | 129 | </UL> |
e2e7c96e | 130 | <H1><A NAME="3">3 Local Access Risks</A></H1> |
131 | <P>Local access risks are those that can be exploited only with a local | |
132 | user account. This section does not address issues related to | |
9da2dc55 | 133 | dissemination of the root password or other security issues associated |
134 | with the UNIX operating system. </P> | |
e2e7c96e | 135 | <H2><A NAME="3_1">3.1 Security Breaches</A></H2> |
136 | <P>There is one known security vulnerability with local access: </P> | |
78021ed9 | 137 | <OL> |
e2e7c96e | 138 | <LI>Device URIs are passed to backend filters in argv[0] and in an |
78021ed9 | 139 | environment variable. Since device URIs can contain usernames and |
140 | passwords it may be possible for a local user to gain access to a | |
f63a2256 | 141 | remote resource. </LI> |
e2e7c96e | 142 | <P>We recommend that any password-protected accounts used for remote |
78021ed9 | 143 | printing have limited access priviledges so that the possible damages |
144 | can be minimized. </P> | |
e2e7c96e | 145 | <P>The device URI is "sanitized" (the username and password are |
78021ed9 | 146 | removed) when sent to an IPP client so that a remote user cannot |
147 | exploit this vulnerability. </P> | |
78021ed9 | 148 | </OL> |
e2e7c96e | 149 | <H1><A NAME="4">4 Remote Access Risks</A></H1> |
150 | <P>Remote access risks are those that can be exploited without a local | |
9da2dc55 | 151 | user account and/or from a remote system. This section does not address |
152 | issues related to network or firewall security. </P> | |
e2e7c96e | 153 | <H2><A NAME="4_1">4.1 Denial of Service Attacks</A></H2> |
154 | <P>Like all Internet services, the CUPS server is vulnerable to denial | |
9da2dc55 | 155 | of service attacks, including: </P> |
156 | <OL> | |
e2e7c96e | 157 | <LI>Establishing multiple connections to the server until the server |
f63a2256 | 158 | will accept no more. </LI> |
e2e7c96e | 159 | <P>This cannot be protected against by the current software. It is |
9da2dc55 | 160 | possible that future versions of the CUPS software could be configured |
161 | to limit the number of connections allowed from a single host, however | |
551d3a88 | 162 | that still would not prevent a distributed attack. </P> |
e2e7c96e | 163 | <LI>Repeatedly opening and closing connections to the server as fast |
f63a2256 | 164 | as possible. </LI> |
e2e7c96e | 165 | <P>There is no easy way of protecting against this in the CUPS |
9da2dc55 | 166 | software. If the attack is coming from outside the local network it |
167 | might be possible to filter such an attack, however once the | |
168 | connection request has been received by the server it must at least | |
169 | accept the connection to find out who is connecting. </P> | |
e2e7c96e | 170 | <LI>Flooding the network with broadcast packets on port 631. </LI> |
171 | <P>It might be possible to disable browsing if this condition is | |
9da2dc55 | 172 | detected by the CUPS software, however if there are large numbers of |
173 | printers available on the network such an algorithm might think that | |
174 | an attack was occurring when instead a valid update was being | |
175 | received. </P> | |
e2e7c96e | 176 | <LI>Sending partial IPP requests; specifically, sending part of an |
f63a2256 | 177 | attribute value and then stopping transmission. </LI> |
e2e7c96e | 178 | <P>The current code is structured to read and write the IPP request |
9da2dc55 | 179 | data on-the-fly, so there is no easy way to protect against this for |
180 | large attribute values. </P> | |
e2e7c96e | 181 | <LI>Sending large/long print jobs to printers, preventing other users |
f63a2256 | 182 | from printing. </LI> |
e2e7c96e | 183 | <P>There are limited facilities for protecting against large print |
9da2dc55 | 184 | jobs (the <CODE>MaxRequestSize</CODE> attribute), however this will |
185 | not protect printers from malicious users and print files that | |
186 | generate hundreds or thousands of pages. In general, we recommend | |
187 | restricting printer access to known hosts or networks, and adding | |
188 | user-level access control as needed for expensive printers. </P> | |
9da2dc55 | 189 | </OL> |
e2e7c96e | 190 | <H2><A NAME="4_2">4.2 Security Breaches</A></H2> |
191 | <P>The current CUPS server supports Basic, Digest, and local | |
4ce43341 | 192 | certificate authentication: </P> |
193 | <OL> | |
e2e7c96e | 194 | <LI>Basic authentication essentially places the clear text of the |
4ce43341 | 195 | username and password on the network. Since CUPS uses the UNIX |
196 | username and password account information, the authentication | |
197 | information could be used to gain access to accounts (possibly | |
198 | priviledged accounts) on the server. </LI> | |
e2e7c96e | 199 | <LI>Digest authentication uses an MD5 checksum of the username, |
4ce43341 | 200 | password, and domain ("CUPS"), so the original username and password |
201 | is not sent over the network. However, the current implementation does | |
202 | not authenticate the entire message and uses the client's IP address | |
203 | for the nonce value, making it possible to launch "man in the middle" | |
204 | and replay attacks from the same client. The next minor release of | |
205 | CUPS will support Digest authentication of the entire message body, | |
206 | effectively stopping these methods of attack. </LI> | |
e2e7c96e | 207 | <LI>Local certificate authentication passes 128-bit "certificates" |
4ce43341 | 208 | that identify an authenticated user. Certificates are created |
209 | on-the-fly from random data and stored in files under <CODE> | |
210 | /etc/cups/certs</CODE>. They have restricted read permissions: root + | |
211 | system for the root certificate, and lp + system for CGI certificates. | |
212 | Because certificates are only available on the local system, the CUPS | |
213 | server does not accept local authentication unless the client is | |
214 | connected to the localhost address (127.0.0.1.) </LI> | |
215 | </OL> | |
e2e7c96e | 216 | <P>The default CUPS configuration disables remote administration. We do |
217 | not recommend that remote administration be enabled for all hosts. | |
551d3a88 | 218 | However, if you have a trusted network or subnet, access can be |
4ce43341 | 219 | restricted accordingly. Also, we highly recommend using Digest |
551d3a88 | 220 | authentication when possible. Unfortunately, most web browsers do not |
4ce43341 | 221 | support Digest authentication at this time. </P> |
e2e7c96e | 222 | <H1 TYPE="A" VALUE="1"><A NAME="5">A Glossary</A></H1> |
223 | <H2><A NAME="5_1">A.1 Terms</A></H2> | |
4ce43341 | 224 | <DL> |
e2e7c96e | 225 | <DT>C </DT> |
226 | <DD>A computer language. </DD> | |
227 | <DT>parallel </DT> | |
228 | <DD>Sending or receiving data more than 1 bit at a time. </DD> | |
229 | <DT>pipe </DT> | |
230 | <DD>A one-way communications channel between two programs. </DD> | |
231 | <DT>serial </DT> | |
232 | <DD>Sending or receiving data 1 bit at a time. </DD> | |
233 | <DT>socket </DT> | |
234 | <DD>A two-way network communications channel. </DD> | |
4ce43341 | 235 | </DL> |
e2e7c96e | 236 | <H2><A NAME="5_2">A.2 Acronyms</A></H2> |
4ce43341 | 237 | <DL> |
e2e7c96e | 238 | <DT>ASCII </DT> |
239 | <DD>American Standard Code for Information Interchange </DD> | |
240 | <DT>CUPS </DT> | |
241 | <DD>Common UNIX Printing System </DD> | |
242 | <DT>ESC/P </DT> | |
243 | <DD>EPSON Standard Code for Printers </DD> | |
244 | <DT>FTP </DT> | |
245 | <DD>File Transfer Protocol </DD> | |
246 | <DT>HP-GL </DT> | |
247 | <DD>Hewlett-Packard Graphics Language </DD> | |
248 | <DT>HP-PCL </DT> | |
249 | <DD>Hewlett-Packard Page Control Language </DD> | |
250 | <DT>HP-PJL </DT> | |
251 | <DD>Hewlett-Packard Printer Job Language </DD> | |
252 | <DT>IETF </DT> | |
253 | <DD>Internet Engineering Task Force </DD> | |
254 | <DT>IPP </DT> | |
255 | <DD>Internet Printing Protocol </DD> | |
256 | <DT>ISO </DT> | |
257 | <DD>International Standards Organization </DD> | |
258 | <DT>LPD </DT> | |
259 | <DD>Line Printer Daemon </DD> | |
260 | <DT>MIME </DT> | |
261 | <DD>Multimedia Internet Mail Exchange </DD> | |
262 | <DT>PPD </DT> | |
263 | <DD>PostScript Printer Description </DD> | |
264 | <DT>SMB </DT> | |
265 | <DD>Server Message Block </DD> | |
266 | <DT>TFTP </DT> | |
267 | <DD>Trivial File Transfer Protocol </DD> | |
4ce43341 | 268 | </DL> |
c8475f2d | 269 | </BODY> |
270 | </HTML> |