1*5e7646d2SAndroid Build Coastguard Worker<HTML> 2*5e7646d2SAndroid Build Coastguard Worker<!-- SECTION: Getting Started --> 3*5e7646d2SAndroid Build Coastguard Worker<HEAD> 4*5e7646d2SAndroid Build Coastguard Worker <TITLE>Server Security</TITLE> 5*5e7646d2SAndroid Build Coastguard Worker <LINK REL="STYLESHEET" TYPE="text/css" HREF="../cups-printable.css"> 6*5e7646d2SAndroid Build Coastguard Worker</HEAD> 7*5e7646d2SAndroid Build Coastguard Worker<BODY> 8*5e7646d2SAndroid Build Coastguard Worker 9*5e7646d2SAndroid Build Coastguard Worker<H1 CLASS="title">Server Security</H1> 10*5e7646d2SAndroid Build Coastguard Worker 11*5e7646d2SAndroid Build Coastguard Worker<P>In the default "standalone" configuration, there are few 12*5e7646d2SAndroid Build Coastguard Workerpotential security risks - the CUPS server does not accept remote 13*5e7646d2SAndroid Build Coastguard Workerconnections, and only accepts shared printer information from the 14*5e7646d2SAndroid Build Coastguard Workerlocal subnet. When you share printers and/or enable remote 15*5e7646d2SAndroid Build Coastguard Workeradministration, you expose your system to potential unauthorized 16*5e7646d2SAndroid Build Coastguard Workeraccess. This help page provides an analysis of possible CUPS 17*5e7646d2SAndroid Build Coastguard Workersecurity concerns and describes how to better secure your 18*5e7646d2SAndroid Build Coastguard Workerserver.</P> 19*5e7646d2SAndroid Build Coastguard Worker 20*5e7646d2SAndroid Build Coastguard Worker<H2 CLASS="title"><A NAME="AUTHENTICATION">Authentication Issues</A></H2> 21*5e7646d2SAndroid Build Coastguard Worker 22*5e7646d2SAndroid Build Coastguard Worker<P>When you enable remote administration, the server will use Basic authentication for administration tasks. The current CUPS server supports Basic, Kerberos, and local certificate authentication:</P> 23*5e7646d2SAndroid Build Coastguard Worker 24*5e7646d2SAndroid Build Coastguard Worker<OL> 25*5e7646d2SAndroid Build Coastguard Worker 26*5e7646d2SAndroid Build Coastguard Worker <LI>Basic authentication essentially places the clear 27*5e7646d2SAndroid Build Coastguard Worker text of the username and password on the network. 28*5e7646d2SAndroid Build Coastguard Worker 29*5e7646d2SAndroid Build Coastguard Worker <P>Since CUPS uses the system username and password 30*5e7646d2SAndroid Build Coastguard Worker account information, the authentication information could 31*5e7646d2SAndroid Build Coastguard Worker be used to gain access to possibly privileged accounts on 32*5e7646d2SAndroid Build Coastguard Worker the server.</P> 33*5e7646d2SAndroid Build Coastguard Worker 34*5e7646d2SAndroid Build Coastguard Worker <P><B>Recommendation:</B> Enable encryption to hide the 35*5e7646d2SAndroid Build Coastguard Worker username and password information - this is the default on 36*5e7646d2SAndroid Build Coastguard Worker macOS and systems with GNU TLS installed.</P></LI> 37*5e7646d2SAndroid Build Coastguard Worker 38*5e7646d2SAndroid Build Coastguard Worker <LI>Local certificate authentication passes 128-bit 39*5e7646d2SAndroid Build Coastguard Worker "certificates" that identify an authenticated user. 40*5e7646d2SAndroid Build Coastguard Worker Certificates are created on-the-fly from random data and 41*5e7646d2SAndroid Build Coastguard Worker stored in files under <VAR>/var/run/cups/certs</VAR>. 42*5e7646d2SAndroid Build Coastguard Worker They have restricted read permissions: root + 43*5e7646d2SAndroid Build Coastguard Worker system-group(s) for the root certificate, and lp + lp 44*5e7646d2SAndroid Build Coastguard Worker for CGI certificates. 45*5e7646d2SAndroid Build Coastguard Worker 46*5e7646d2SAndroid Build Coastguard Worker <P>Because certificates are only available on the local 47*5e7646d2SAndroid Build Coastguard Worker system, the CUPS server does not accept local 48*5e7646d2SAndroid Build Coastguard Worker authentication unless the client is connected to the 49*5e7646d2SAndroid Build Coastguard Worker loopback interface (127.0.0.1 or ::1) or domain 50*5e7646d2SAndroid Build Coastguard Worker socket.</P> 51*5e7646d2SAndroid Build Coastguard Worker 52*5e7646d2SAndroid Build Coastguard Worker <P><B>Recommendation:</B> Ensure that unauthorized users 53*5e7646d2SAndroid Build Coastguard Worker are not added to the system group(s).</P></LI> 54*5e7646d2SAndroid Build Coastguard Worker 55*5e7646d2SAndroid Build Coastguard Worker</OL> 56*5e7646d2SAndroid Build Coastguard Worker 57*5e7646d2SAndroid Build Coastguard Worker<H2 CLASS="title"><A NAME="DOS">Denial of Service Attacks</A></H2> 58*5e7646d2SAndroid Build Coastguard Worker 59*5e7646d2SAndroid Build Coastguard Worker<P>When printer sharing or remote administration is enabled, the 60*5e7646d2SAndroid Build Coastguard WorkerCUPS server, like all Internet services, is vulnerable to a 61*5e7646d2SAndroid Build Coastguard Workervariety of denial of service attacks:</P> 62*5e7646d2SAndroid Build Coastguard Worker 63*5e7646d2SAndroid Build Coastguard Worker<OL> 64*5e7646d2SAndroid Build Coastguard Worker 65*5e7646d2SAndroid Build Coastguard Worker <LI>Establishing multiple connections to the server until 66*5e7646d2SAndroid Build Coastguard Worker the server will accept no more. 67*5e7646d2SAndroid Build Coastguard Worker 68*5e7646d2SAndroid Build Coastguard Worker <P>This cannot be protected against by any known 69*5e7646d2SAndroid Build Coastguard Worker software. The <CODE>MaxClientsPerHost</CODE> directive 70*5e7646d2SAndroid Build Coastguard Worker can be used to configure CUPS to limit the number of 71*5e7646d2SAndroid Build Coastguard Worker connections allowed from a single host, however that does 72*5e7646d2SAndroid Build Coastguard Worker not prevent a distributed attack.</P> 73*5e7646d2SAndroid Build Coastguard Worker 74*5e7646d2SAndroid Build Coastguard Worker <P><B>Recommendation:</B> Limit access to trusted systems 75*5e7646d2SAndroid Build Coastguard Worker and networks.</P></LI> 76*5e7646d2SAndroid Build Coastguard Worker 77*5e7646d2SAndroid Build Coastguard Worker <LI>Repeatedly opening and closing connections to the 78*5e7646d2SAndroid Build Coastguard Worker server as fast as possible. 79*5e7646d2SAndroid Build Coastguard Worker 80*5e7646d2SAndroid Build Coastguard Worker <P>There is no easy way of protecting against this in the 81*5e7646d2SAndroid Build Coastguard Worker CUPS software. If the attack is coming from outside the 82*5e7646d2SAndroid Build Coastguard Worker local network, it may be possible to filter such an 83*5e7646d2SAndroid Build Coastguard Worker attack. However, once the connection request has been 84*5e7646d2SAndroid Build Coastguard Worker received by the server it must at least accept the 85*5e7646d2SAndroid Build Coastguard Worker connection to find out who is connecting.</P> 86*5e7646d2SAndroid Build Coastguard Worker 87*5e7646d2SAndroid Build Coastguard Worker <P><B>Recommendation:</B> None.</P></LI> 88*5e7646d2SAndroid Build Coastguard Worker 89*5e7646d2SAndroid Build Coastguard Worker <LI>Sending partial IPP requests; specifically, sending 90*5e7646d2SAndroid Build Coastguard Worker part of an attribute value and then stopping 91*5e7646d2SAndroid Build Coastguard Worker transmission. 92*5e7646d2SAndroid Build Coastguard Worker 93*5e7646d2SAndroid Build Coastguard Worker <P>The current code will wait up to 1 second before 94*5e7646d2SAndroid Build Coastguard Worker timing out the partial value and closing the connection. 95*5e7646d2SAndroid Build Coastguard Worker This will slow the server responses to valid requests and 96*5e7646d2SAndroid Build Coastguard Worker may lead to dropped browsing packets, but will otherwise 97*5e7646d2SAndroid Build Coastguard Worker not affect the operation of the server.</P> 98*5e7646d2SAndroid Build Coastguard Worker 99*5e7646d2SAndroid Build Coastguard Worker <P><B>Recommendation:</B> Block IPP packets from foreign 100*5e7646d2SAndroid Build Coastguard Worker or untrusted networks using a router or 101*5e7646d2SAndroid Build Coastguard Worker firewall.</P></LI> 102*5e7646d2SAndroid Build Coastguard Worker 103*5e7646d2SAndroid Build Coastguard Worker <LI>Sending large/long print jobs to printers, preventing 104*5e7646d2SAndroid Build Coastguard Worker other users from printing. 105*5e7646d2SAndroid Build Coastguard Worker 106*5e7646d2SAndroid Build Coastguard Worker <P>There are limited facilities for protecting against 107*5e7646d2SAndroid Build Coastguard Worker large print jobs (the <CODE>MaxRequestSize</CODE> 108*5e7646d2SAndroid Build Coastguard Worker attribute), however this will not protect printers from 109*5e7646d2SAndroid Build Coastguard Worker malicious users and print files that generate hundreds or 110*5e7646d2SAndroid Build Coastguard Worker thousands of pages.</P> 111*5e7646d2SAndroid Build Coastguard Worker 112*5e7646d2SAndroid Build Coastguard Worker <P><B>Recommendation:</B> Restrict printer access to 113*5e7646d2SAndroid Build Coastguard Worker known hosts or networks, and add user-level access 114*5e7646d2SAndroid Build Coastguard Worker controls as needed for expensive printers.</P></LI> 115*5e7646d2SAndroid Build Coastguard Worker 116*5e7646d2SAndroid Build Coastguard Worker</OL> 117*5e7646d2SAndroid Build Coastguard Worker 118*5e7646d2SAndroid Build Coastguard Worker<H2 CLASS="title"><A NAME="ENCRYPTION">Encryption Issues</A></H2> 119*5e7646d2SAndroid Build Coastguard Worker 120*5e7646d2SAndroid Build Coastguard Worker<P>CUPS supports 128-bit TLS encryption of network connections via the GNU TLS library, macOS Security framework, and Windows Schannel APIs. Secure deployment of TLS depends on proper certificate management and software maintenance.</P> 121*5e7646d2SAndroid Build Coastguard Worker 122*5e7646d2SAndroid Build Coastguard Worker</BODY> 123*5e7646d2SAndroid Build Coastguard Worker</HTML> 124