This software security report provides an analysis of possible security concerns for the Common UNIX Printing System ("CUPS") Version 1.1.
CUPS provides a portable printing layer for UNIX®-based operating systems. It has been developed by Easy Software Products to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces.
CUPS uses the Internet Printing Protocol ("IPP") as the basis for managing print jobs and queues. The Line Printer Daemon ("LPD") Server Message Block ("SMB"), and AppSocket (a.k.a. JetDirect) protocols are also supported with reduced functionality. CUPS adds network printer browsing and PostScript Printer Description ("PPD") based printing options to support real-world printing under UNIX.
CUPS includes an image file RIP that supports printing of image files to non-PostScript printers. A customized version of GNU Ghostscript 7.05 for CUPS called ESP Ghostscript is available separately to support printing of PostScript files within the CUPS driver framework. Sample drivers for Dymo, EPSON, HP, and OKIDATA printers are included that use these filters.
Drivers for thousands of printers are provided with our ESP Print Pro software, available at:
http://www.easysw.com/printpro/
CUPS is licensed under the GNU General Public License and GNU Library General Public License. Please contact Easy Software Products for commercial support and "binary distribution" rights.
This software security report is organized into the following sections:
The following CUPS documentation is referenced by this document:
The following non-CUPS documents are referenced by this document:
Local access risks are those that can be exploited only with a local user account. This section does not address issues related to dissemination of the root password or other security issues associated with the UNIX operating system.
There is one known security vulnerability with local access:
We recommend that any password-protected accounts used for remote printing have limited access priviledges so that the possible damages can be minimized.
The device URI is "sanitized" (the username and password are removed) when sent to an IPP client so that a remote user cannot exploit this vulnerability.
Remote access risks are those that can be exploited without a local user account and/or from a remote system. This section does not address issues related to network or firewall security.
Like all Internet services, the CUPS server is vulnerable to denial of service attacks, including:
Starting with CUPS 1.1.18, the MaxClientsPerHost
provides
limited protection against DoS attacks, however it is not effective against
large-scale distributed attacks.
There is no easy way of protecting against this in the CUPS software. If the attack is coming from outside the local network it might be possible to filter such an attack, however once the connection request has been received by the server it must at least accept the connection to find out who is connecting.
It might be possible to disable browsing if this condition is detected by the CUPS software, however if there are large numbers of printers available on the network such an algorithm might think that an attack was occurring when instead a valid update was being received.
The current code is structured to read and write the IPP request data on-the-fly, so there is no easy way to protect against this for large attribute values.
There are limited facilities for protecting against large print jobs (the
MaxRequestSize
attribute), however this will not protect printers
from malicious users and print files that generate hundreds or thousands of
pages. In general, we recommend restricting printer access to known hosts or
networks, and adding user-level access control as needed for expensive
printers.
The current CUPS server supports Basic, Digest, and local certificate authentication:
/etc/cups/certs
. They have
restricted read permissions: root + system for the root certificate, and lp +
system for CGI certificates. Because certificates are only available on the
local system, the CUPS server does not accept local authentication unless the
client is connected to the localhost address (127.0.0.1.) The default CUPS configuration disables remote administration. We do not recommend that remote administration be enabled for all hosts. However, if you have a trusted network or subnet, access can be restricted accordingly. Also, we highly recommend using Digest authentication when possible. Unfortunately, most web browsers do not support Digest authentication at this time.