This software security report provides an analysis of possible security
concerns for the Common UNIX Printing System ("CUPS") Version 1.1.
This software security report is organized into the following sections:
Local access risks are those that can be exploited only with a local user
account. This section does not address issues related to dissemination of the
root password or other security issues associated with the UNIX operating
There is one known security vulnerability with local access:
We recommend that any password-protected accounts used for
remote printing have limited access priviledges so that the
possible damages can be minimized.
The device URI is "sanitized" (the username and password are
removed) when sent to an IPP client so that a remote user
cannot exploit this vulnerability.
Remote access risks are those that can be exploited without a local user
account and/or from a remote system. This section does not address issues
related to network or firewall security.
Like all Internet services, the CUPS server is vulnerable to denial of
service attacks, including:
This cannot be protected against by the current software. It
is possible that future versions of the CUPS software could be
configured to limit the number of connections allowed from a
single host, however that still would not prevent a distributed
There is no easy way of protecting against this in the CUPS
software. If the attack is coming from outside the local
network it might be possible to filter such an attack, however
once the connection request has been received by the server it
must at least accept the connection to find out who is
It might be possible to disable browsing if this condition
is detected by the CUPS software, however if there are large
numbers of printers available on the network such an algorithm
might think that an attack was occurring when instead a valid
update was being received.
The current code is structured to read and write the IPP
request data on-the-fly, so there is no easy way to protect
against this for large attribute values.
There are limited facilities for protecting against large print
jobs (the MaxRequestSize attribute), however this will
not protect printers from malicious users and print files that
generate hundreds or thousands of pages. In general, we recommend
restricting printer access to known hosts or networks, and adding
user-level access control as needed for expensive printers.
The current CUPS server supports Basic, Digest, and local certificate
The default CUPS configuration disables remote administration. We do
not recommend that remote administration be enabled for all hosts.
However, if you have a trusted network or subnet, access can be
Also, we highly recommend using Digest authentication when possible.
Unfortunately, most web browsers do not support Digest authentication
at this time.