ssr.html   [plain text]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "">
<TITLE>CUPS Software Security Report</TITLE>
<META NAME="author" CONTENT="Easy Software Products">
<META NAME="copyright" CONTENT="Copyright 1997-2002, All Rights Reserved">
<META NAME="docnumber" CONTENT="CUPS-SSR-1.1">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
<STYLE TYPE="text/css"><!--
BODY { font-family: serif }
H1 { font-family: sans-serif }
H2 { font-family: sans-serif }
H3 { font-family: sans-serif }
H4 { font-family: sans-serif }
H5 { font-family: sans-serif }
H6 { font-family: sans-serif }
SUB { font-size: smaller }
SUP { font-size: smaller }
PRE { font-family: monospace }
<CENTER><A HREF="#CONTENTS"><IMG SRC="images/cups-large.gif" BORDER="0" WIDTH="431" HEIGHT="511"><BR>
<H1>CUPS Software Security Report</H1></A><BR>
Easy Software Products<BR>
Copyright 1997-2002, All Rights Reserved<BR>
<H1 ALIGN="CENTER"><A NAME="CONTENTS">Table of Contents</A></H1>
<BR><B><A HREF="#1">1 Scope</A></B>
<LI><A HREF="#1_1">1.1 Identification</A></LI>
<LI><A HREF="#1_2">1.2 System Overview</A></LI>
<LI><A HREF="#1_3">1.3 Document Overview</A></LI>
<B><A HREF="#2">2 References</A></B>
<LI><A HREF="#2_1">2.1 CUPS Documentation</A></LI>
<LI><A HREF="#2_2">2.2 Other Documents</A></LI>
<B><A HREF="#3">3 Local Access Risks</A></B>
<LI><A HREF="#3_1">3.1 Security Breaches</A></LI>
<B><A HREF="#4">4 Remote Access Risks</A></B>
<LI><A HREF="#4_1">4.1 Denial of Service Attacks</A></LI>
<LI><A HREF="#4_2">4.2 Security Breaches</A></LI>
<B><A HREF="#5">A Glossary</A></B>
<LI><A HREF="#5_1">A.1 Terms</A></LI>
<LI><A HREF="#5_2">A.2 Acronyms</A></LI>
<H1><A NAME="1">1 Scope</A></H1>
<H2><A NAME="1_1">1.1 Identification</A></H2>
<P>This software security report provides an analysis of possible
 security concerns for the Common UNIX Printing System (&quot;CUPS&quot;) Version
<H2><A NAME="1_2">1.2 System Overview</A></H2>
<P>CUPS provides a portable printing layer for UNIX&reg;-based operating
 systems. It has been developed by<A HREF=""> Easy
 Software Products</A> to promote a standard printing solution for all
 UNIX vendors and users. CUPS provides the System V and Berkeley
 command-line interfaces.</P>
<P>CUPS uses the Internet Printing Protocol (&quot;IPP&quot;) as the basis for
 managing print jobs and queues. The Line Printer Daemon (&quot;LPD&quot;) Server
 Message Block (&quot;SMB&quot;), and AppSocket (a.k.a. JetDirect) protocols are
 also supported with reduced functionality. CUPS adds network printer
 browsing and PostScript Printer Description (&quot;PPD&quot;) based printing
 options to support real-world printing under UNIX.</P>
<P>CUPS also includes a customized version of GNU Ghostscript (currently
 based off GNU Ghostscript 5.50) and an image file RIP that are used to
 support non-PostScript printers. Sample drivers for HP and EPSON
 printers are included that use these filters.</P>
<H2><A NAME="1_3">1.3 Document Overview</A></H2>
<P>This software security report is organized into the following
<LI>1 - Scope</LI>
<LI>2 - References</LI>
<LI>3 - Local Access Risks</LI>
<LI>4 - Remote Access Risks</LI>
<LI>A - Glossary</LI>
<H1><A NAME="2">2 References</A></H1>
<H2><A NAME="2_1">2.1 CUPS Documentation</A></H2>
<P>The following CUPS documentation is referenced by this document:</P>
<LI>CUPS-CMP-1.1: CUPS Configuration Management Plan</LI>
<LI>CUPS-IDD-1.1: CUPS System Interface Design Description</LI>
<LI>CUPS-IPP-1.1: CUPS Implementation of IPP</LI>
<LI>CUPS-SAM-1.1.x: CUPS Software Administrators Manual</LI>
<LI>CUPS-SDD-1.1: CUPS Software Design Description</LI>
<LI>CUPS-SPM-1.1.x: CUPS Software Programming Manual</LI>
<LI>CUPS-SSR-1.1: CUPS Software Security Report</LI>
<LI>CUPS-STP-1.1: CUPS Software Test Plan</LI>
<LI>CUPS-SUM-1.1.x: CUPS Software Users Manual</LI>
<LI>CUPS-SVD-1.1: CUPS Software Version Description</LI>
<H2><A NAME="2_2">2.2 Other Documents</A></H2>
<P>The following non-CUPS documents are referenced by this document:</P>
<LI><A HREF="">
Adobe PostScript Printer Description File Format Specification, Version
<LI><A HREF="">
Adobe PostScript Language Reference, Third Edition.</A></LI>
<LI>IPP: Job and Printer Set Operations</LI>
<LI>IPP/1.1: Encoding and Transport</LI>
<LI>IPP/1.1: Implementers Guide</LI>
<LI>IPP/1.1: Model and Semantics</LI>
<LI><A HREF="">RFC 1179, Line Printer
 Daemon Protocol</A></LI>
<LI><A HREF="">RFC 2567, Design Goals
 for an Internet Printing Protocol</A></LI>
<LI><A HREF="">RFC 2568, Rationale
 for the Structure of the Model and Protocol</A> for the Internet
 Printing Protocol</LI>
<LI><A HREF="">RFC 2569, Mapping
 between LPD and IPP Protocols</A></LI>
<LI><A HREF="">RFC 2616, Hypertext
 Transfer Protocol -- HTTP/1.1</A></LI>
<LI><A HREF="">RFC 2617, HTTP
 Authentication: Basic and Digest Access</A> Authentication</LI>
<H1><A NAME="3">3 Local Access Risks</A></H1>
<P>Local access risks are those that can be exploited only with a local
 user account. This section does not address issues related to
 dissemination of the root password or other security issues associated
 with the UNIX operating system.</P>
<H2><A NAME="3_1">3.1 Security Breaches</A></H2>
<P>There is one known security vulnerability with local access:</P>
<LI>Device URIs are passed to backend filters in argv[0] and in an
 environment variable. Since device URIs can contain usernames and
 passwords it may be possible for a local user to gain access to a
 remote resource.
<P>We recommend that any password-protected accounts used for remote
 printing have limited access priviledges so that the possible damages
 can be minimized.</P>
<P>The device URI is &quot;sanitized&quot; (the username and password are removed)
 when sent to an IPP client so that a remote user cannot exploit this
<H1><A NAME="4">4 Remote Access Risks</A></H1>
<P>Remote access risks are those that can be exploited without a local
 user account and/or from a remote system. This section does not address
 issues related to network or firewall security.</P>
<H2><A NAME="4_1">4.1 Denial of Service Attacks</A></H2>
<P>Like all Internet services, the CUPS server is vulnerable to denial
 of service attacks, including:</P>
<LI>Establishing multiple connections to the server until the server
 will accept no more.
<P>This cannot be protected against by the current software. It is
 possible that future versions of the CUPS software could be configured
 to limit the number of connections allowed from a single host, however
 that still would not prevent a distributed attack.</P>
<LI>Repeatedly opening and closing connections to the server as fast as
<P>There is no easy way of protecting against this in the CUPS software.
 If the attack is coming from outside the local network it might be
 possible to filter such an attack, however once the connection request
 has been received by the server it must at least accept the connection
 to find out who is connecting.</P>
<LI>Flooding the network with broadcast packets on port 631.
<P>It might be possible to disable browsing if this condition is
 detected by the CUPS software, however if there are large numbers of
 printers available on the network such an algorithm might think that an
 attack was occurring when instead a valid update was being received.</P>
<LI>Sending partial IPP requests; specifically, sending part of an
 attribute value and then stopping transmission.
<P>The current code is structured to read and write the IPP request data
 on-the-fly, so there is no easy way to protect against this for large
 attribute values.</P>
<LI>Sending large/long print jobs to printers, preventing other users
 from printing.
<P>There are limited facilities for protecting against large print jobs
 (the <CODE>MaxRequestSize</CODE> attribute), however this will not
 protect printers from malicious users and print files that generate
 hundreds or thousands of pages. In general, we recommend restricting
 printer access to known hosts or networks, and adding user-level access
 control as needed for expensive printers.</P>
<H2><A NAME="4_2">4.2 Security Breaches</A></H2>
<P>The current CUPS server supports Basic, Digest, and local certificate
<LI>Basic authentication essentially places the clear text of the
 username and password on the network. Since CUPS uses the UNIX username
 and password account information, the authentication information could
 be used to gain access to accounts (possibly priviledged accounts) on
 the server.</LI>
<LI>Digest authentication uses an MD5 checksum of the username,
 password, and domain (&quot;CUPS&quot;), so the original username and password is
 not sent over the network. However, the current implementation does not
 authenticate the entire message and uses the client's IP address for
 the nonce value, making it possible to launch &quot;man in the middle&quot; and
 replay attacks from the same client. The next minor release of CUPS
 will support Digest authentication of the entire message body,
 effectively stopping these methods of attack.</LI>
<LI>Local certificate authentication passes 128-bit &quot;certificates&quot; that
 identify an authenticated user. Certificates are created on-the-fly
 from random data and stored in files under <CODE>/etc/cups/certs</CODE>
. They have restricted read permissions: root + system for the root
 certificate, and lp + system for CGI certificates. Because certificates
 are only available on the local system, the CUPS server does not accept
 local authentication unless the client is connected to the localhost
 address (</LI>
<P>The default CUPS configuration disables remote administration. We do
 not recommend that remote administration be enabled for all hosts.
 However, if you have a trusted network or subnet, access can be
 restricted accordingly. Also, we highly recommend using Digest
 authentication when possible. Unfortunately, most web browsers do not
 support Digest authentication at this time.</P>
<H1 TYPE="A" VALUE="1"><A NAME="5">A Glossary</A></H1>
<H2><A NAME="5_1">A.1 Terms</A></H2>
<DD>A computer language.</DD>
<DD>Sending or receiving data more than 1 bit at a time.</DD>
<DD>A one-way communications channel between two programs.</DD>
<DD>Sending or receiving data 1 bit at a time.</DD>
<DD>A two-way network communications channel.</DD>
<H2><A NAME="5_2">A.2 Acronyms</A></H2>
<DD>American Standard Code for Information Interchange</DD>
<DD>Common UNIX Printing System</DD>
<DD>EPSON Standard Code for Printers</DD>
<DD>File Transfer Protocol</DD>
<DD>Hewlett-Packard Graphics Language</DD>
<DD>Hewlett-Packard Page Control Language</DD>
<DD>Hewlett-Packard Printer Job Language</DD>
<DD>Internet Engineering Task Force</DD>
<DD>Internet Printing Protocol</DD>
<DD>International Standards Organization</DD>
<DD>Line Printer Daemon</DD>
<DD>Multimedia Internet Mail Exchange</DD>
<DD>PostScript Printer Description</DD>
<DD>Server Message Block</DD>
<DD>Trivial File Transfer Protocol</DD>