]>
Commit | Line | Data |
---|---|---|
1 | <HTML> | |
2 | <!-- SECTION: Getting Started --> | |
3 | <HEAD> | |
4 | <TITLE>Server Security</TITLE> | |
5 | <LINK REL="STYLESHEET" TYPE="text/css" HREF="../cups-printable.css"> | |
6 | </HEAD> | |
7 | <BODY> | |
8 | ||
9 | <H1 CLASS="title">Server Security</H1> | |
10 | ||
11 | <P>In the default "standalone" configuration, there are few | |
12 | potential security risks - the CUPS server does not accept remote | |
13 | connections, and only accepts shared printer information from the | |
14 | local subnet. When you share printers and/or enable remote | |
15 | administration, you expose your system to potential unauthorized | |
16 | access. This help page provides an analysis of possible CUPS | |
17 | security concerns and describes how to better secure your | |
18 | server.</P> | |
19 | ||
20 | <H2 CLASS="title"><A NAME="AUTHENTICATION">Authentication Issues</A></H2> | |
21 | ||
22 | <P>When you enable remote administration, the server will use | |
23 | Basic authentication for administration tasks. The current CUPS | |
24 | server supports Basic, Digest, Kerberos, and local certificate | |
25 | authentication:</P> | |
26 | ||
27 | <OL> | |
28 | ||
29 | <LI>Basic authentication essentially places the clear | |
30 | text of the username and password on the network. | |
31 | ||
32 | <P>Since CUPS uses the system username and password | |
33 | account information, the authentication information could | |
34 | be used to gain access to possibly privileged accounts on | |
35 | the server.</P> | |
36 | ||
37 | <P><B>Recommendation:</B> Enable encryption to hide the | |
38 | username and password information - this is the default on | |
39 | MacOS X and systems with GNU TLS or OpenSSL installed.</P></LI> | |
40 | ||
41 | <LI>Digest authentication uses an MD5 checksum of the | |
42 | username, password, and domain ("CUPS"), so the original | |
43 | username and password is not sent over the network. | |
44 | ||
45 | <P>The current implementation does not authenticate the | |
46 | entire message and uses the client's IP address for the | |
47 | nonce value, making it possible to launch "man in the | |
48 | middle" and replay attacks from the same client.</P> | |
49 | ||
50 | <P><B>Recommendation:</B> Enable encryption to hide the | |
51 | username and password information.</P></LI></LI> | |
52 | ||
53 | <LI>Local certificate authentication passes 128-bit | |
54 | "certificates" that identify an authenticated user. | |
55 | Certificates are created on-the-fly from random data and | |
56 | stored in files under <VAR>/var/run/cups/certs</VAR>. | |
57 | They have restricted read permissions: root + | |
58 | system-group(s) for the root certificate, and lp + lp | |
59 | for CGI certificates. | |
60 | ||
61 | <P>Because certificates are only available on the local | |
62 | system, the CUPS server does not accept local | |
63 | authentication unless the client is connected to the | |
64 | loopback interface (127.0.0.1 or ::1) or domain | |
65 | socket.</P> | |
66 | ||
67 | <P><B>Recommendation:</B> Ensure that unauthorized users | |
68 | are not added to the system group(s).</P></LI></LI> | |
69 | ||
70 | </OL> | |
71 | ||
72 | <H2 CLASS="title"><A NAME="DOS">Denial of Service Attacks</A></H2> | |
73 | ||
74 | <P>When printer sharing or remote administration is enabled, the | |
75 | CUPS server, like all Internet services, is vulnerable to a | |
76 | variety of denial of service attacks:</P> | |
77 | ||
78 | <OL> | |
79 | ||
80 | <LI>Establishing multiple connections to the server until | |
81 | the server will accept no more. | |
82 | ||
83 | <P>This cannot be protected against by any known | |
84 | software. The <CODE>MaxClientsPerHost</CODE> directive | |
85 | can be used to configure CUPS to limit the number of | |
86 | connections allowed from a single host, however that does | |
87 | not prevent a distributed attack.</P> | |
88 | ||
89 | <P><B>Recommendation:</B> Limit access to trusted systems | |
90 | and networks.</P></LI> | |
91 | ||
92 | <LI>Repeatedly opening and closing connections to the | |
93 | server as fast as possible. | |
94 | ||
95 | <P>There is no easy way of protecting against this in the | |
96 | CUPS software. If the attack is coming from outside the | |
97 | local network, it may be possible to filter such an | |
98 | attack. However, once the connection request has been | |
99 | received by the server it must at least accept the | |
100 | connection to find out who is connecting.</P> | |
101 | ||
102 | <P><B>Recommendation:</B> None.</P></LI> | |
103 | ||
104 | <LI>Flooding the network with broadcast packets on port | |
105 | 631. | |
106 | ||
107 | <P>It might be possible to disable browsing if this | |
108 | condition is detected by the CUPS software, however if | |
109 | there are large numbers of printers available on the | |
110 | network such an algorithm might think that an attack was | |
111 | occurring when instead a valid update was being | |
112 | received.</P> | |
113 | ||
114 | <P><B>Recommendation:</B> Block browse packets from | |
115 | foreign or untrusted networks using a router or | |
116 | firewall.</P></LI> | |
117 | ||
118 | <LI>Sending partial IPP requests; specifically, sending | |
119 | part of an attribute value and then stopping | |
120 | transmission. | |
121 | ||
122 | <P>The current code will wait up to 1 second before | |
123 | timing out the partial value and closing the connection. | |
124 | This will slow the server responses to valid requests and | |
125 | may lead to dropped browsing packets, but will otherwise | |
126 | not affect the operation of the server.</P> | |
127 | ||
128 | <P><B>Recommendation:</B> Block IPP packets from foreign | |
129 | or untrusted networks using a router or | |
130 | firewall.</P></LI> | |
131 | ||
132 | <LI>Sending large/long print jobs to printers, preventing | |
133 | other users from printing. | |
134 | ||
135 | <P>There are limited facilities for protecting against | |
136 | large print jobs (the <CODE>MaxRequestSize</CODE> | |
137 | attribute), however this will not protect printers from | |
138 | malicious users and print files that generate hundreds or | |
139 | thousands of pages.</P> | |
140 | ||
141 | <P><B>Recommendation:</B> Restrict printer access to | |
142 | known hosts or networks, and add user-level access | |
143 | controls as needed for expensive printers.</P></LI> | |
144 | ||
145 | </OL> | |
146 | ||
147 | <H2 CLASS="title"><A NAME="ENCRYPTION">Encryption Issues</A></H2> | |
148 | ||
149 | <P>CUPS supports 128-bit SSL 3.0 and TLS 1.0 encryption of | |
150 | network connections via the OpenSSL, GNU TLS, and CDSA encryption | |
151 | libraries. In additional to the potential security issues posed | |
152 | by the SSL and TLS protocols, CUPS currently has the following | |
153 | additional issue:</P> | |
154 | ||
155 | <OL> | |
156 | ||
157 | <LI>Certification validation/revocation; currently CUPS | |
158 | does not validate or revoke server or client certificates | |
159 | when establishing a secure connection. This can | |
160 | potentially lead to "man in the middle" and | |
161 | impersonation/spoofing attacks over unsecured networks. | |
162 | Future versions of CUPS will support both validation and | |
163 | revocation of server certificates. | |
164 | ||
165 | <P><B>Recommendation:</B> Do not depend on encryption for | |
166 | security when connecting to servers over the Internet or | |
167 | untrusted WAN links.</P></LI> | |
168 | ||
169 | </OL> | |
170 | ||
171 | </BODY> | |
172 | </HTML> |