]>
Commit | Line | Data |
---|---|---|
6a921799 | 1 | <HTML> |
2 | <HEAD> | |
efb2f309 | 3 | <META NAME="COPYRIGHT" CONTENT="Copyright 1997-2002, All Rights Reserved"> |
17b95e13 | 4 | <META NAME="DOCNUMBER" CONTENT="CUPS-SSR-1.1"> |
27931043 | 5 | <META NAME="Author" CONTENT="Easy Software Products"> |
1aee2644 | 6 | <TITLE>CUPS Software Security Report</TITLE> |
6a921799 | 7 | </HEAD> |
8 | <BODY> | |
9 | ||
10 | <H1>Scope</H1> | |
11 | ||
12 | <H2>Identification</H2> | |
13 | ||
551d3a88 | 14 | <P>This software security report provides an analysis of possible security |
17b95e13 | 15 | concerns for the Common UNIX Printing System ("CUPS") Version 1.1.</P> |
6a921799 | 16 | |
1aee2644 | 17 | <EMBED SRC="system-overview.shtml"> |
e15022a6 | 18 | |
6a921799 | 19 | <H2>Document Overview</H2> |
20 | ||
21 | <P>This software security report is organized into the following sections:</P> | |
22 | ||
23 | <UL> | |
24 | <LI>1 - Scope</LI> | |
25 | <LI>2 - References</LI> | |
9da2dc55 | 26 | <LI>3 - Local Access Risks</LI> |
27 | <LI>4 - Remote Access Risks</LI> | |
6a921799 | 28 | <LI>A - Glossary</LI> |
29 | </UL> | |
30 | ||
1aee2644 | 31 | <EMBED SRC="references.shtml"> |
6a921799 | 32 | |
9661ef6c | 33 | <H1>Local Access Risks</H1> |
6a921799 | 34 | |
9da2dc55 | 35 | <P>Local access risks are those that can be exploited only with a local user |
36 | account. This section does not address issues related to dissemination of the | |
37 | root password or other security issues associated with the UNIX operating | |
38 | system. | |
6a921799 | 39 | |
9da2dc55 | 40 | <H2>Security Breaches</H2> |
6a921799 | 41 | |
551d3a88 | 42 | <P>There is one known security vulnerability with local access: |
6a921799 | 43 | |
78021ed9 | 44 | <OL> |
45 | ||
78021ed9 | 46 | <LI>Device URIs are passed to backend filters in argv[0] and in |
47 | an environment variable. Since device URIs can contain | |
48 | usernames and passwords it may be possible for a local user to | |
49 | gain access to a remote resource. | |
50 | ||
51 | <P>We recommend that any password-protected accounts used for | |
52 | remote printing have limited access priviledges so that the | |
53 | possible damages can be minimized. | |
54 | ||
55 | <P>The device URI is "sanitized" (the username and password are | |
56 | removed) when sent to an IPP client so that a remote user | |
57 | cannot exploit this vulnerability. | |
58 | ||
59 | </OL> | |
6a921799 | 60 | |
9661ef6c | 61 | <H1>Remote Access Risks</H1> |
9da2dc55 | 62 | |
63 | <P>Remote access risks are those that can be exploited without a local user | |
64 | account and/or from a remote system. This section does not address issues | |
65 | related to network or firewall security. | |
66 | ||
9661ef6c | 67 | <H2>Denial of Service Attacks</H2> |
9da2dc55 | 68 | |
78021ed9 | 69 | <P>Like all Internet services, the CUPS server is vulnerable to denial of |
9da2dc55 | 70 | service attacks, including: |
71 | ||
72 | <OL> | |
73 | ||
74 | <LI>Establishing multiple connections to the server until the server | |
75 | will accept no more. | |
76 | ||
77 | <P>This cannot be protected against by the current software. It | |
78 | is possible that future versions of the CUPS software could be | |
79 | configured to limit the number of connections allowed from a | |
551d3a88 | 80 | single host, however that still would not prevent a distributed |
9da2dc55 | 81 | attack. |
82 | ||
83 | <LI>Repeatedly opening and closing connections to the server as fast | |
84 | as possible. | |
85 | ||
86 | <P>There is no easy way of protecting against this in the CUPS | |
87 | software. If the attack is coming from outside the local | |
88 | network it might be possible to filter such an attack, however | |
89 | once the connection request has been received by the server it | |
90 | must at least accept the connection to find out who is | |
91 | connecting. | |
92 | ||
93 | <LI>Flooding the network with broadcast packets on port 631. | |
94 | ||
95 | <P>It might be possible to disable browsing if this condition | |
96 | is detected by the CUPS software, however if there are large | |
97 | numbers of printers available on the network such an algorithm | |
98 | might think that an attack was occurring when instead a valid | |
99 | update was being received. | |
100 | ||
101 | <LI>Sending partial IPP requests; specifically, sending part of an | |
102 | attribute value and then stopping transmission. | |
103 | ||
104 | <P>The current code is structured to read and write the IPP | |
105 | request data on-the-fly, so there is no easy way to protect | |
106 | against this for large attribute values. | |
107 | ||
108 | <LI>Sending large/long print jobs to printers, preventing other users | |
109 | from printing. | |
110 | ||
111 | <P>There are limited facilities for protecting against large print | |
112 | jobs (the <CODE>MaxRequestSize</CODE> attribute), however this will | |
113 | not protect printers from malicious users and print files that | |
114 | generate hundreds or thousands of pages. In general, we recommend | |
115 | restricting printer access to known hosts or networks, and adding | |
116 | user-level access control as needed for expensive printers. | |
117 | ||
118 | </OL> | |
119 | ||
9661ef6c | 120 | <H2>Security Breaches</H2> |
9da2dc55 | 121 | |
3d9e2586 | 122 | <P>The current CUPS server supports Basic, Digest, and local certificate |
123 | authentication: | |
124 | ||
125 | <OL> | |
126 | ||
127 | <LI>Basic authentication essentially places the clear text of | |
128 | the username and password on the network. Since CUPS uses the | |
129 | UNIX username and password account information, the | |
130 | authentication information could be used to gain access to | |
131 | accounts (possibly priviledged accounts) on the server. | |
132 | ||
133 | <LI>Digest authentication uses an MD5 checksum of the username, | |
134 | password, and domain ("CUPS"), so the original username and | |
135 | password is not sent over the network. However, the current | |
136 | implementation does not authenticate the entire message and | |
137 | uses the client's IP address for the nonce value, making it | |
138 | possible to launch "man in the middle" and replay attacks from | |
139 | the same client. The next minor release of CUPS will support | |
140 | Digest authentication of the entire message body, effectively | |
141 | stopping these methods of attack. | |
142 | ||
143 | <LI>Local certificate authentication passes 128-bit | |
144 | "certificates" that identify an authenticated user. | |
145 | Certificates are created on-the-fly from random data and stored | |
146 | in files under <CODE>/etc/cups/certs</CODE>. They have | |
147 | restricted read permissions: root + system for the root | |
148 | certificate, and lp + system for CGI certificates. Because | |
149 | certificates are only available on the local system, the CUPS | |
150 | server does not accept local authentication unless the client | |
151 | is connected to the localhost address (127.0.0.1.) | |
152 | ||
153 | </OL> | |
9da2dc55 | 154 | |
155 | <P>The default CUPS configuration disables remote administration. We do | |
551d3a88 | 156 | not recommend that remote administration be enabled for all hosts. |
157 | However, if you have a trusted network or subnet, access can be | |
158 | restricted accordingly. | |
159 | ||
160 | Also, we highly recommend using Digest authentication when possible. | |
161 | Unfortunately, most web browsers do not support Digest authentication | |
162 | at this time. | |
6a921799 | 163 | |
1aee2644 | 164 | <EMBED SRC="glossary.shtml"> |
6a921799 | 165 | |
166 | </BODY> | |
167 | </HTML> |