projects / thirdparty / cups.git / blame
| Commit | Line | Data |
|---|---|---|
| 4744bd90 | 1 | <HTML> |
| 2 | <!-- SECTION: Getting Started --> | |
| 3 | <HEAD> | |
| 4 | <TITLE>Server Security</TITLE> | |
| 178cb736 | 5 | <LINK REL="STYLESHEET" TYPE="text/css" HREF="../cups-printable.css"> |
| 4744bd90 | 6 | </HEAD> |
| 7 | <BODY> | |
| 8 | ||
| 178cb736 MS |
9 | <H1 CLASS="title">Server Security</H1> |
| 10 | ||
| 4744bd90 | 11 | <P>In the default "standalone" configuration, there are few |
| 12 | potential security risks - the CUPS server does not accept remote | |
| 13 | connections, and only accepts shared printer information from the | |
| 14 | local subnet. When you share printers and/or enable remote | |
| 15 | adminstration, you expose your system to potential unauthorized | |
| 16 | access. This help page provides an analysis of possible CUPS | |
| 17 | security concerns and describes how to better secure your | |
| 18 | server.</P> | |
| 19 | ||
| 20 | <H2 CLASS="title"><A NAME="AUTHENTICATION">Authentication Issues</A></H2> | |
| 21 | ||
| 22 | <P>When you enable remote administration, the server will use | |
| 23 | Basic authentication for adminstration tasks. The current CUPS | |
| 178cb736 | 24 | server supports Basic, Digest, Kerberos, and local certificate |
| 4744bd90 | 25 | authentication:</P> |
| 26 | ||
| 27 | <OL> | |
| 28 | ||
| 29 | <LI>Basic authentication essentially places the clear | |
| 30 | text of the username and password on the network. | |
| 31 | ||
| 32 | <P>Since CUPS uses the system username and password | |
| 33 | account information, the authentication information could | |
| 34 | be used to gain access to possibly privileged accounts on | |
| 35 | the server.</P> | |
| 36 | ||
| 37 | <P><B>Recommendation:</B> Enable encryption to hide the | |
| e1d6a774 | 38 | username and password information - this is the default on |
| 39 | MacOS X and systems with GNU TLS or OpenSSL installed.</P></LI> | |
| 4744bd90 | 40 | |
| 41 | <LI>Digest authentication uses an MD5 checksum of the | |
| 42 | username, password, and domain ("CUPS"), so the original | |
| 43 | username and password is not sent over the network. | |
| 44 | ||
| 45 | <P>The current implementation does not authenticate the | |
| 46 | entire message and uses the client's IP address for the | |
| 47 | nonce value, making it possible to launch "man in the | |
| 48 | middle" and replay attacks from the same client.</P> | |
| 49 | ||
| 50 | <P><B>Recommendation:</B> Enable encryption to hide the | |
| 51 | username and password information.</P></LI></LI> | |
| 52 | ||
| 53 | <LI>Local certificate authentication passes 128-bit | |
| 54 | "certificates" that identify an authenticated user. | |
| 55 | Certificates are created on-the-fly from random data and | |
| 56 | stored in files under <VAR>/var/run/cups/certs</VAR>. | |
| 57 | They have restricted read permissions: root + | |
| e1d6a774 | 58 | system-group(s) for the root certificate, and lp + lp |
| 59 | for CGI certificates. | |
| 4744bd90 | 60 | |
| 61 | <P>Because certificates are only available on the local | |
| 62 | system, the CUPS server does not accept local | |
| 63 | authentication unless the client is connected to the | |
| 64 | loopback interface (127.0.0.1 or ::1) or domain | |
| 65 | socket.</P> | |
| 66 | ||
| 67 | <P><B>Recommendation:</B> Ensure that unauthorized users | |
| 68 | are not added to the system group(s).</P></LI></LI> | |
| 69 | ||
| 70 | </OL> | |
| 71 | ||
| 72 | <H2 CLASS="title"><A NAME="DOS">Denial of Service Attacks</A></H2> | |
| 73 | ||
| 74 | <P>When printer sharing or remote administration is enabled, the | |
| 75 | CUPS server, like all Internet services, is vulnerable to a | |
| 76 | variety of denial of service attacks:</P> | |
| 77 | ||
| 78 | <OL> | |
| 79 | ||
| 80 | <LI>Establishing multiple connections to the server until | |
| 81 | the server will accept no more. | |
| 82 | ||
| 83 | <P>This cannot be protected against by any known | |
| 84 | software. The <CODE>MaxClientsPerHost</CODE> directive | |
| 85 | can be used to configure CUPS to limit the number of | |
| 86 | connections allowed from a single host, however that does | |
| 87 | not prevent a distributed attack.</P> | |
| 88 | ||
| 89 | <P><B>Recommendation:</B> Limit access to trusted systems | |
| 90 | and networks.</P></LI> | |
| 91 | ||
| 92 | <LI>Repeatedly opening and closing connections to the | |
| 93 | server as fast as possible. | |
| 94 | ||
| 95 | <P>There is no easy way of protecting against this in the | |
| 96 | CUPS software. If the attack is coming from outside the | |
| 97 | local network, it may be possible to filter such an | |
| 98 | attack. However, once the connection request has been | |
| 99 | received by the server it must at least accept the | |
| 100 | connection to find out who is connecting.</P> | |
| 101 | ||
| 102 | <P><B>Recommendation:</B> None.</P></LI> | |
| 103 | ||
| 104 | <LI>Flooding the network with broadcast packets on port | |
| 105 | 631. | |
| 106 | ||
| 107 | <P>It might be possible to disable browsing if this | |
| 108 | condition is detected by the CUPS software, however if | |
| 109 | there are large numbers of printers available on the | |
| 110 | network such an algorithm might think that an attack was | |
| 111 | occurring when instead a valid update was being | |
| 112 | received.</P> | |
| 113 | ||
| 114 | <P><B>Recommendation:</B> Block browse packets from | |
| 115 | foreign or untrusted networks using a router or | |
| 116 | firewall.</P></LI> | |
| 117 | ||
| 118 | <LI>Sending partial IPP requests; specifically, sending | |
| 119 | part of an attribute value and then stopping | |
| 120 | transmission. | |
| 121 | ||
| 122 | <P>The current code will wait up to 1 second before | |
| 123 | timing out the partial value and closing the connection. | |
| 124 | This will slow the server responses to valid requests and | |
| 125 | may lead to dropped browsing packets, but will otherwise | |
| 126 | not affect the operation of the server.</P> | |
| 127 | ||
| 128 | <P><B>Recommendation:</B> Block IPP packets from foreign | |
| 129 | or untrusted networks using a router or | |
| 130 | firewall.</P></LI> | |
| 131 | ||
| 132 | <LI>Sending large/long print jobs to printers, preventing | |
| 133 | other users from printing. | |
| 134 | ||
| 135 | <P>There are limited facilities for protecting against | |
| 136 | large print jobs (the <CODE>MaxRequestSize</CODE> | |
| 137 | attribute), however this will not protect printers from | |
| 138 | malicious users and print files that generate hundreds or | |
| 139 | thousands of pages.</P> | |
| 140 | ||
| 141 | <P><B>Recommendation:</B> Restrict printer access to | |
| 142 | known hosts or networks, and add user-level access | |
| 143 | controls as needed for expensive printers.</P></LI> | |
| 144 | ||
| 145 | </OL> | |
| 146 | ||
| 147 | <H2 CLASS="title"><A NAME="ENCRYPTION">Encryption Issues</A></H2> | |
| 148 | ||
| 149 | <P>CUPS supports 128-bit SSL 3.0 and TLS 1.0 encryption of | |
| 150 | network connections via the OpenSSL, GNU TLS, and CDSA encryption | |
| 151 | libraries. In additional to the potential security issues posed | |
| 152 | by the SSL and TLS protocols, CUPS currently has the following | |
| 153 | additional issue:</P> | |
| 154 | ||
| 155 | <OL> | |
| 156 | ||
| 157 | <LI>Certification validation/revocation; currently CUPS | |
| 158 | does not validate or revoke server or client certificates | |
| 159 | when establishing a secure connection. This can | |
| 160 | potentially lead to "man in the middle" and | |
| 161 | impersonation/spoofing attacks over unsecured networks. | |
| 162 | Future versions of CUPS will support both validation and | |
| 163 | revocation of server certificates. | |
| 164 | ||
| 165 | <P><B>Recommendation:</B> Do not depend on encryption for | |
| 166 | security when connecting to servers over the Internet or | |
| 167 | untrusted WAN links.</P></LI> | |
| 168 | ||
| 169 | </OL> | |
| 170 | ||
| 171 | </BODY> | |
| 172 | </HTML> |