]>
Commit | Line | Data |
---|---|---|
ef416fc2 | 1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> |
2 | <HTML> | |
3 | <HEAD> | |
4 | <TITLE>CUPS Software Security Report</TITLE> | |
5 | <META NAME="author" CONTENT="Easy Software Products"> | |
6 | <META NAME="copyright" CONTENT="Copyright 1997-2003, All Rights Reserved"> | |
7 | <META NAME="docnumber" CONTENT="CUPS-SSR-1.2"> | |
8 | <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1"> | |
9 | <STYLE TYPE="text/css"><!-- | |
10 | BODY { font-family: serif } | |
11 | H1 { font-family: sans-serif } | |
12 | H2 { font-family: sans-serif } | |
13 | H3 { font-family: sans-serif } | |
14 | H4 { font-family: sans-serif } | |
15 | H5 { font-family: sans-serif } | |
16 | H6 { font-family: sans-serif } | |
17 | SUB { font-size: smaller } | |
18 | SUP { font-size: smaller } | |
19 | PRE { font-family: monospace } | |
20 | --></STYLE> | |
21 | </HEAD> | |
22 | <BODY> | |
23 | <CENTER><A HREF="#CONTENTS"><IMG SRC="images/cups-large.gif" BORDER="0" WIDTH="431" HEIGHT="511"><BR> | |
24 | <H1>CUPS Software Security Report</H1></A><BR> | |
25 | CUPS-SSR-1.2<BR> | |
26 | Easy Software Products<BR> | |
27 | Copyright 1997-2003, All Rights Reserved<BR> | |
28 | </CENTER> | |
29 | <HR> | |
30 | <H1 ALIGN="CENTER"><A NAME="CONTENTS">Table of Contents</A></H1> | |
31 | <BR> | |
32 | <BR><B><A HREF="#1">1 Scope</A></B> | |
33 | <UL> | |
34 | <LI><A HREF="#1_1">1.1 Identification</A></LI> | |
35 | <LI><A HREF="#1_2">1.2 System Overview</A></LI> | |
36 | <LI><A HREF="#1_3">1.3 Document Overview</A></LI> | |
37 | </UL> | |
38 | <B><A HREF="#2">2 References</A></B> | |
39 | <UL> | |
40 | <LI><A HREF="#2_1">2.1 CUPS Documentation</A></LI> | |
41 | <LI><A HREF="#2_2">2.2 Other Documents</A></LI> | |
42 | </UL> | |
43 | <B><A HREF="#3">3 Local Access Risks</A></B> | |
44 | <UL> | |
45 | <LI><A HREF="#3_1">3.1 Security Breaches</A></LI> | |
46 | </UL> | |
47 | <B><A HREF="#4">4 Remote Access Risks</A></B> | |
48 | <UL> | |
49 | <LI><A HREF="#4_1">4.1 Denial of Service Attacks</A></LI> | |
50 | <LI><A HREF="#4_2">4.2 Security Breaches</A></LI> | |
51 | </UL> | |
52 | <B><A HREF="#5">A Glossary</A></B> | |
53 | <UL> | |
54 | <LI><A HREF="#5_1">A.1 Terms</A></LI> | |
55 | <LI><A HREF="#5_2">A.2 Acronyms</A></LI> | |
56 | </UL> | |
57 | <HR> | |
58 | <H1><A NAME="1">1 Scope</A></H1> | |
59 | <H2><A NAME="1_1">1.1 Identification</A></H2> | |
60 | <P>This software security report provides an analysis of possible | |
61 | security concerns for the Common UNIX Printing System ("CUPS") Version | |
62 | 1.2.</P> | |
63 | <H2><A NAME="1_2">1.2 System Overview</A></H2> | |
64 | <P>CUPS provides a portable printing layer for UNIX®-based operating | |
65 | systems. It has been developed by<A HREF="http://www.easysw.com"> Easy | |
66 | Software Products</A> to promote a standard printing solution for all | |
67 | UNIX vendors and users. CUPS provides the System V and Berkeley | |
68 | command-line interfaces.</P> | |
69 | <P>CUPS uses the Internet Printing Protocol ("IPP") as the basis for | |
70 | managing print jobs and queues. The Line Printer Daemon ("LPD") Server | |
71 | Message Block ("SMB"), and AppSocket (a.k.a. JetDirect) protocols are | |
72 | also supported with reduced functionality. CUPS adds network printer | |
73 | browsing and PostScript Printer Description ("PPD") based printing | |
74 | options to support real-world printing under UNIX.</P> | |
75 | <P>CUPS also includes a customized version of GNU Ghostscript (currently | |
76 | based off GNU Ghostscript 5.50) and an image file RIP that are used to | |
77 | support non-PostScript printers. Sample drivers for HP and EPSON | |
78 | printers are included that use these filters.</P> | |
79 | <H2><A NAME="1_3">1.3 Document Overview</A></H2> | |
80 | <P>This software security report is organized into the following | |
81 | sections:</P> | |
82 | <UL> | |
83 | <LI>1 - Scope</LI> | |
84 | <LI>2 - References</LI> | |
85 | <LI>3 - Local Access Risks</LI> | |
86 | <LI>4 - Remote Access Risks</LI> | |
87 | <LI>A - Glossary</LI> | |
88 | </UL> | |
89 | <H1><A NAME="2">2 References</A></H1> | |
90 | <H2><A NAME="2_1">2.1 CUPS Documentation</A></H2> | |
91 | <P>The following CUPS documentation is referenced by this document:</P> | |
92 | <UL> | |
93 | <LI>CUPS-CMP-1.2: CUPS Configuration Management Plan</LI> | |
94 | <LI>CUPS-IDD-1.2: CUPS System Interface Design Description</LI> | |
95 | <LI>CUPS-IPP-1.2: CUPS Implementation of IPP</LI> | |
96 | <LI>CUPS-SAM-1.2.x: CUPS Software Administrators Manual</LI> | |
97 | <LI>CUPS-SDD-1.2: CUPS Software Design Description</LI> | |
98 | <LI>CUPS-SPM-1.2.x: CUPS Software Programming Manual</LI> | |
99 | <LI>CUPS-SSR-1.2: CUPS Software Security Report</LI> | |
100 | <LI>CUPS-STP-1.2: CUPS Software Test Plan</LI> | |
101 | <LI>CUPS-SUM-1.2.x: CUPS Software Users Manual</LI> | |
102 | <LI>CUPS-SVD-1.2: CUPS Software Version Description</LI> | |
103 | </UL> | |
104 | <H2><A NAME="2_2">2.2 Other Documents</A></H2> | |
105 | <P>The following non-CUPS documents are referenced by this document:</P> | |
106 | <UL> | |
107 | <LI><A HREF="http://partners.adobe.com/asn/developer/PDFS/TN/5003.PPD_Spec_v4.3.pdf"> | |
108 | Adobe PostScript Printer Description File Format Specification, Version | |
109 | 4.3.</A></LI> | |
110 | <LI><A HREF="http://partners.adobe.com/asn/developer/PDFS/TN/PLRM.pdf"> | |
111 | Adobe PostScript Language Reference, Third Edition.</A></LI> | |
112 | <LI>IPP: Job and Printer Set Operations</LI> | |
113 | <LI>IPP/1.1: Encoding and Transport</LI> | |
114 | <LI>IPP/1.1: Implementers Guide</LI> | |
115 | <LI>IPP/1.1: Model and Semantics</LI> | |
116 | <LI><A HREF="http://www.ietf.org/rfc/rfc1179.txt">RFC 1179, Line Printer | |
117 | Daemon Protocol</A></LI> | |
118 | <LI><A HREF="http://www.ietf.org/rfc/rfc2567.txt">RFC 2567, Design Goals | |
119 | for an Internet Printing Protocol</A></LI> | |
120 | <LI><A HREF="http://www.ietf.org/rfc/rfc2568.txt">RFC 2568, Rationale | |
121 | for the Structure of the Model and Protocol for the Internet Printing | |
122 | Protocol</A></LI> | |
123 | <LI><A HREF="http://www.ietf.org/rfc/rfc2569.txt">RFC 2569, Mapping | |
124 | between LPD and IPP Protocols</A></LI> | |
125 | <LI><A HREF="http://www.ietf.org/rfc/rfc2616.txt">RFC 2616, Hypertext | |
126 | Transfer Protocol -- HTTP/1.1</A></LI> | |
127 | <LI><A HREF="http://www.ietf.org/rfc/rfc2617.txt">RFC 2617, HTTP | |
128 | Authentication: Basic and Digest Access</A> Authentication</LI> | |
129 | </UL> | |
130 | <H1><A NAME="3">3 Local Access Risks</A></H1> | |
131 | <P>Local access risks are those that can be exploited only with a local | |
132 | user account. This section does not address issues related to | |
133 | dissemination of the root password or other security issues associated | |
134 | with the UNIX operating system.</P> | |
135 | <H2><A NAME="3_1">3.1 Security Breaches</A></H2> | |
136 | <P>There is one known security vulnerability with local access:</P> | |
137 | <OL> | |
138 | <LI>Device URIs are passed to backend filters in argv[0] and in an | |
139 | environment variable. Since device URIs can contain usernames and | |
140 | passwords it may be possible for a local user to gain access to a | |
141 | remote resource. | |
142 | <P>We recommend that any password-protected accounts used for remote | |
143 | printing have limited access priviledges so that the possible damages | |
144 | can be minimized.</P> | |
145 | <P>The device URI is "sanitized" (the username and password are removed) | |
146 | when sent to an IPP client so that a remote user cannot exploit this | |
147 | vulnerability.</P> | |
148 | </LI> | |
149 | </OL> | |
150 | <H1><A NAME="4">4 Remote Access Risks</A></H1> | |
151 | <P>Remote access risks are those that can be exploited without a local | |
152 | user account and/or from a remote system. This section does not address | |
153 | issues related to network or firewall security.</P> | |
154 | <H2><A NAME="4_1">4.1 Denial of Service Attacks</A></H2> | |
155 | <P>Like all Internet services, the CUPS server is vulnerable to denial | |
156 | of service attacks, including:</P> | |
157 | <OL> | |
158 | <LI>Establishing multiple connections to the server until the server | |
159 | will accept no more. | |
160 | <P>This cannot be protected against by the current software. It is | |
161 | possible that future versions of the CUPS software could be configured | |
162 | to limit the number of connections allowed from a single host, however | |
163 | that still would not prevent a distributed attack.</P> | |
164 | <LI>Repeatedly opening and closing connections to the server as fast as | |
165 | possible. | |
166 | <P>There is no easy way of protecting against this in the CUPS software. | |
167 | If the attack is coming from outside the local network it might be | |
168 | possible to filter such an attack, however once the connection request | |
169 | has been received by the server it must at least accept the connection | |
170 | to find out who is connecting.</P> | |
171 | <LI>Flooding the network with broadcast packets on port 631. | |
172 | <P>It might be possible to disable browsing if this condition is | |
173 | detected by the CUPS software, however if there are large numbers of | |
174 | printers available on the network such an algorithm might think that an | |
175 | attack was occurring when instead a valid update was being received.</P> | |
176 | <LI>Sending partial IPP requests; specifically, sending part of an | |
177 | attribute value and then stopping transmission. | |
178 | <P>The current code is structured to read and write the IPP request data | |
179 | on-the-fly, so there is no easy way to protect against this for large | |
180 | attribute values.</P> | |
181 | <LI>Sending large/long print jobs to printers, preventing other users | |
182 | from printing. | |
183 | <P>There are limited facilities for protecting against large print jobs | |
184 | (the <CODE>MaxRequestSize</CODE> attribute), however this will not | |
185 | protect printers from malicious users and print files that generate | |
186 | hundreds or thousands of pages. In general, we recommend restricting | |
187 | printer access to known hosts or networks, and adding user-level access | |
188 | control as needed for expensive printers.</P> | |
189 | </LI> | |
190 | </LI> | |
191 | </LI> | |
192 | </LI> | |
193 | </LI> | |
194 | </OL> | |
195 | <H2><A NAME="4_2">4.2 Security Breaches</A></H2> | |
196 | <P>The current CUPS server supports Basic, Digest, and local certificate | |
197 | authentication:</P> | |
198 | <OL> | |
199 | <LI>Basic authentication essentially places the clear text of the | |
200 | username and password on the network. Since CUPS uses the UNIX username | |
201 | and password account information, the authentication information could | |
202 | be used to gain access to accounts (possibly priviledged accounts) on | |
203 | the server.</LI> | |
204 | <LI>Digest authentication uses an MD5 checksum of the username, | |
205 | password, and domain ("CUPS"), so the original username and password is | |
206 | not sent over the network. However, the current implementation does not | |
207 | authenticate the entire message and uses the client's IP address for | |
208 | the nonce value, making it possible to launch "man in the middle" and | |
209 | replay attacks from the same client. The next minor release of CUPS | |
210 | will support Digest authentication of the entire message body, | |
211 | effectively stopping these methods of attack.</LI> | |
212 | <LI>Local certificate authentication passes 128-bit "certificates" that | |
213 | identify an authenticated user. Certificates are created on-the-fly | |
214 | from random data and stored in files under <CODE>/etc/cups/certs</CODE> | |
215 | . They have restricted read permissions: root + system for the root | |
216 | certificate, and lp + system for CGI certificates. Because certificates | |
217 | are only available on the local system, the CUPS server does not accept | |
218 | local authentication unless the client is connected to the localhost | |
219 | address (127.0.0.1.)</LI> | |
220 | </OL> | |
221 | <P>The default CUPS configuration disables remote administration. We do | |
222 | not recommend that remote administration be enabled for all hosts. | |
223 | However, if you have a trusted network or subnet, access can be | |
224 | restricted accordingly. Also, we highly recommend using Digest | |
225 | authentication when possible. Unfortunately, most web browsers do not | |
226 | support Digest authentication at this time.</P> | |
227 | <H1 TYPE="A" VALUE="1"><A NAME="5">A Glossary</A></H1> | |
228 | <H2><A NAME="5_1">A.1 Terms</A></H2> | |
229 | <DL> | |
230 | <DT>C</DT> | |
231 | <DD>A computer language.</DD> | |
232 | <DT>parallel</DT> | |
233 | <DD>Sending or receiving data more than 1 bit at a time.</DD> | |
234 | <DT>pipe</DT> | |
235 | <DD>A one-way communications channel between two programs.</DD> | |
236 | <DT>serial</DT> | |
237 | <DD>Sending or receiving data 1 bit at a time.</DD> | |
238 | <DT>socket</DT> | |
239 | <DD>A two-way network communications channel.</DD> | |
240 | </DL> | |
241 | <H2><A NAME="5_2">A.2 Acronyms</A></H2> | |
242 | <DL> | |
243 | <DT>ASCII</DT> | |
244 | <DD>American Standard Code for Information Interchange</DD> | |
245 | <DT>CUPS</DT> | |
246 | <DD>Common UNIX Printing System</DD> | |
247 | <DT>ESC/P</DT> | |
248 | <DD>EPSON Standard Code for Printers</DD> | |
249 | <DT>FTP</DT> | |
250 | <DD>File Transfer Protocol</DD> | |
251 | <DT>HP-GL</DT> | |
252 | <DD>Hewlett-Packard Graphics Language</DD> | |
253 | <DT>HP-PCL</DT> | |
254 | <DD>Hewlett-Packard Page Control Language</DD> | |
255 | <DT>HP-PJL</DT> | |
256 | <DD>Hewlett-Packard Printer Job Language</DD> | |
257 | <DT>IETF</DT> | |
258 | <DD>Internet Engineering Task Force</DD> | |
259 | <DT>IPP</DT> | |
260 | <DD>Internet Printing Protocol</DD> | |
261 | <DT>ISO</DT> | |
262 | <DD>International Standards Organization</DD> | |
263 | <DT>LPD</DT> | |
264 | <DD>Line Printer Daemon</DD> | |
265 | <DT>MIME</DT> | |
266 | <DD>Multimedia Internet Mail Exchange</DD> | |
267 | <DT>PPD</DT> | |
268 | <DD>PostScript Printer Description</DD> | |
269 | <DT>SMB</DT> | |
270 | <DD>Server Message Block</DD> | |
271 | <DT>TFTP</DT> | |
272 | <DD>Trivial File Transfer Protocol</DD> | |
273 | </DL> | |
274 | </BODY> | |
275 | </HTML> |