2 <!-- SECTION: Getting Started -->
4 <TITLE>Server Security
</TITLE>
8 <P>In the default
"standalone" configuration, there are few
9 potential security risks - the CUPS server does not accept remote
10 connections, and only accepts shared printer information from the
11 local subnet. When you share printers and/or enable remote
12 adminstration, you expose your system to potential unauthorized
13 access. This help page provides an analysis of possible CUPS
14 security concerns and describes how to better secure your
17 <H2 CLASS=
"title"><A NAME=
"AUTHENTICATION">Authentication Issues
</A></H2>
19 <P>When you enable remote administration, the server will use
20 Basic authentication for adminstration tasks. The current CUPS
21 server supports Basic, Digest, and local certificate
26 <LI>Basic authentication essentially places the clear
27 text of the username and password on the network.
29 <P>Since CUPS uses the system username and password
30 account information, the authentication information could
31 be used to gain access to possibly privileged accounts on
34 <P><B>Recommendation:
</B> Enable encryption to hide the
35 username and password information.
</P></LI>
37 <LI>Digest authentication uses an MD5 checksum of the
38 username, password, and domain (
"CUPS"), so the original
39 username and password is not sent over the network.
41 <P>The current implementation does not authenticate the
42 entire message and uses the client's IP address for the
43 nonce value, making it possible to launch
"man in the
44 middle" and replay attacks from the same client.
</P>
46 <P><B>Recommendation:
</B> Enable encryption to hide the
47 username and password information.
</P></LI></LI>
49 <LI>Local certificate authentication passes
128-bit
50 "certificates" that identify an authenticated user.
51 Certificates are created on-the-fly from random data and
52 stored in files under
<VAR>/var/run/cups/certs
</VAR>.
53 They have restricted read permissions: root +
54 system-group(s) for the root certificate, and lp +
55 system-group(s) for CGI certificates.
57 <P>Because certificates are only available on the local
58 system, the CUPS server does not accept local
59 authentication unless the client is connected to the
60 loopback interface (
127.0.0.1 or ::
1) or domain
63 <P><B>Recommendation:
</B> Ensure that unauthorized users
64 are not added to the system group(s).
</P></LI></LI>
68 <H2 CLASS=
"title"><A NAME=
"DOS">Denial of Service Attacks
</A></H2>
70 <P>When printer sharing or remote administration is enabled, the
71 CUPS server, like all Internet services, is vulnerable to a
72 variety of denial of service attacks:
</P>
76 <LI>Establishing multiple connections to the server until
77 the server will accept no more.
79 <P>This cannot be protected against by any known
80 software. The
<CODE>MaxClientsPerHost
</CODE> directive
81 can be used to configure CUPS to limit the number of
82 connections allowed from a single host, however that does
83 not prevent a distributed attack.
</P>
85 <P><B>Recommendation:
</B> Limit access to trusted systems
86 and networks.
</P></LI>
88 <LI>Repeatedly opening and closing connections to the
89 server as fast as possible.
91 <P>There is no easy way of protecting against this in the
92 CUPS software. If the attack is coming from outside the
93 local network, it may be possible to filter such an
94 attack. However, once the connection request has been
95 received by the server it must at least accept the
96 connection to find out who is connecting.
</P>
98 <P><B>Recommendation:
</B> None.
</P></LI>
100 <LI>Flooding the network with broadcast packets on port
103 <P>It might be possible to disable browsing if this
104 condition is detected by the CUPS software, however if
105 there are large numbers of printers available on the
106 network such an algorithm might think that an attack was
107 occurring when instead a valid update was being
110 <P><B>Recommendation:
</B> Block browse packets from
111 foreign or untrusted networks using a router or
114 <LI>Sending partial IPP requests; specifically, sending
115 part of an attribute value and then stopping
118 <P>The current code will wait up to
1 second before
119 timing out the partial value and closing the connection.
120 This will slow the server responses to valid requests and
121 may lead to dropped browsing packets, but will otherwise
122 not affect the operation of the server.
</P>
124 <P><B>Recommendation:
</B> Block IPP packets from foreign
125 or untrusted networks using a router or
128 <LI>Sending large/long print jobs to printers, preventing
129 other users from printing.
131 <P>There are limited facilities for protecting against
132 large print jobs (the
<CODE>MaxRequestSize
</CODE>
133 attribute), however this will not protect printers from
134 malicious users and print files that generate hundreds or
135 thousands of pages.
</P>
137 <P><B>Recommendation:
</B> Restrict printer access to
138 known hosts or networks, and add user-level access
139 controls as needed for expensive printers.
</P></LI>
143 <H2 CLASS=
"title"><A NAME=
"ENCRYPTION">Encryption Issues
</A></H2>
145 <P>CUPS supports
128-bit SSL
3.0 and TLS
1.0 encryption of
146 network connections via the OpenSSL, GNU TLS, and CDSA encryption
147 libraries. In additional to the potential security issues posed
148 by the SSL and TLS protocols, CUPS currently has the following
149 additional issue:
</P>
153 <LI>Certification validation/revocation; currently CUPS
154 does not validate or revoke server or client certificates
155 when establishing a secure connection. This can
156 potentially lead to
"man in the middle" and
157 impersonation/spoofing attacks over unsecured networks.
158 Future versions of CUPS will support both validation and
159 revocation of server certificates.
161 <P><B>Recommendation:
</B> Do not depend on encryption for
162 security when connecting to servers over the Internet or
163 untrusted WAN links.
</P></LI>
projects / thirdparty / cups.git / blob