3 <META NAME="COPYRIGHT" CONTENT="Copyright 1997-2003, All Rights Reserved">
4 <META NAME="DOCNUMBER" CONTENT="CUPS-SSR-1.2">
5 <META NAME="Author" CONTENT="Easy Software Products">
6 <TITLE>CUPS Software Security Report</TITLE>
12 <H2>Identification</H2>
14 <P>This software security report provides an analysis of possible security
15 concerns for the Common UNIX Printing System ("CUPS") Version 1.2.</P>
17 <EMBED SRC="system-overview.shtml">
19 <H2>Document Overview</H2>
21 <P>This software security report is organized into the following sections:</P>
25 <LI>2 - References</LI>
26 <LI>3 - Local Access Risks</LI>
27 <LI>4 - Remote Access Risks</LI>
31 <EMBED SRC="references.shtml">
33 <H1>Local Access Risks</H1>
35 <P>Local access risks are those that can be exploited only with a local user
36 account. This section does not address issues related to dissemination of the
37 root password or other security issues associated with the UNIX operating
40 <H2>Security Breaches</H2>
42 <P>There is one known security vulnerability with local access:
46 <LI>Device URIs are passed to backend filters in argv[0] and in
47 an environment variable. Since device URIs can contain
48 usernames and passwords it may be possible for a local user to
49 gain access to a remote resource.
51 <P>We recommend that any password-protected accounts used for
52 remote printing have limited access priviledges so that the
53 possible damages can be minimized.
55 <P>The device URI is "sanitized" (the username and password are
56 removed) when sent to an IPP client so that a remote user
57 cannot exploit this vulnerability.
61 <H1>Remote Access Risks</H1>
63 <P>Remote access risks are those that can be exploited without a local user
64 account and/or from a remote system. This section does not address issues
65 related to network or firewall security.
67 <H2>Denial of Service Attacks</H2>
69 <P>Like all Internet services, the CUPS server is vulnerable to denial of
70 service attacks, including:
74 <LI>Establishing multiple connections to the server until the server
77 <P>This cannot be protected against by the current software. It
78 is possible that future versions of the CUPS software could be
79 configured to limit the number of connections allowed from a
80 single host, however that still would not prevent a distributed
83 <LI>Repeatedly opening and closing connections to the server as fast
86 <P>There is no easy way of protecting against this in the CUPS
87 software. If the attack is coming from outside the local
88 network it might be possible to filter such an attack, however
89 once the connection request has been received by the server it
90 must at least accept the connection to find out who is
93 <LI>Flooding the network with broadcast packets on port 631.
95 <P>It might be possible to disable browsing if this condition
96 is detected by the CUPS software, however if there are large
97 numbers of printers available on the network such an algorithm
98 might think that an attack was occurring when instead a valid
99 update was being received.
101 <LI>Sending partial IPP requests; specifically, sending part of an
102 attribute value and then stopping transmission.
104 <P>The current code is structured to read and write the IPP
105 request data on-the-fly, so there is no easy way to protect
106 against this for large attribute values.
108 <LI>Sending large/long print jobs to printers, preventing other users
111 <P>There are limited facilities for protecting against large print
112 jobs (the <CODE>MaxRequestSize</CODE> attribute), however this will
113 not protect printers from malicious users and print files that
114 generate hundreds or thousands of pages. In general, we recommend
115 restricting printer access to known hosts or networks, and adding
116 user-level access control as needed for expensive printers.
120 <H2>Security Breaches</H2>
122 <P>The current CUPS server supports Basic, Digest, and local certificate
127 <LI>Basic authentication essentially places the clear text of
128 the username and password on the network. Since CUPS uses the
129 UNIX username and password account information, the
130 authentication information could be used to gain access to
131 accounts (possibly priviledged accounts) on the server.
133 <LI>Digest authentication uses an MD5 checksum of the username,
134 password, and domain ("CUPS"), so the original username and
135 password is not sent over the network. However, the current
136 implementation does not authenticate the entire message and
137 uses the client's IP address for the nonce value, making it
138 possible to launch "man in the middle" and replay attacks from
139 the same client. The next minor release of CUPS will support
140 Digest authentication of the entire message body, effectively
141 stopping these methods of attack.
143 <LI>Local certificate authentication passes 128-bit
144 "certificates" that identify an authenticated user.
145 Certificates are created on-the-fly from random data and stored
146 in files under <CODE>/etc/cups/certs</CODE>. They have
147 restricted read permissions: root + system for the root
148 certificate, and lp + system for CGI certificates. Because
149 certificates are only available on the local system, the CUPS
150 server does not accept local authentication unless the client
151 is connected to the localhost address (127.0.0.1.)
155 <P>The default CUPS configuration disables remote administration. We do
156 not recommend that remote administration be enabled for all hosts.
157 However, if you have a trusted network or subnet, access can be
158 restricted accordingly.
160 Also, we highly recommend using Digest authentication when possible.
161 Unfortunately, most web browsers do not support Digest authentication
164 <EMBED SRC="glossary.shtml">
projects / thirdparty / cups.git / blob