Cups vulnerability

Miguel Bazdresch lfs-01 at thewizardstower.org
Tue Jul 6 11:22:05 PDT 2004


* dienadel <no at use.this.es> [2004-07-06 20:09]:
> Hello,
> 
> I'm not sure is this post is well-posted here but, as in the mailing list
> there is a note that says tat "Discussion of security for LFS and BLFS has
> been transferred to hlfs-dev". Say me if this is not the correct forum to
> change it.
> 
> Ok, i have installed nessus to test my system, and the only Vulnerability
> found is the following (copied from nessus report):
> 
> *************************************************
> Vulnerability found on port ipp (631/tcp)
<snip>
> So, i don't know really how to solve the problem :-(
> 
> Any help?
> 
> BTW, i've done the test from my own PC to my own PC. If a person would be
> done this from an external PC, would be obtain the same results? I ask
> this, because if my iptables are configurated to reject all petitions that
> i haven't made, CUPS wouldn't answer to them, or not?

I'm a security pseudo-expert wanna-be who has probably read too much
stuff, so scrutinize whatever I say.

Unless you have a very special configuration port 631 should never be
open to the internet. Block any accesses to this port in the INPUT chain
and corresponding interface (prob. ppp0) with iptables.

If you are sharing your printer in an internal LAN/intranet, and you
trust your users, then you're good to go. If you don't trust them you
need someone more knowledgeable than me; I'd put a dedicated print
server with nothing but cups on it running as an unpriviledged user and
locked down.

>From the perspective of the local machine, port 631 must be open and
listening. That is unavoidable. You can, however, block it from the
internet and from the LAN without blocking it from the local machine.
That's what I do. The key is to mix and match your chains and your
interfaces.

HTH,

-- 
Miguel Bazdresch
http://thewizardstower.org/



More information about the hlfs-dev mailing list