In the default "standalone" configuration, there are few potential security risks - the CUPS server does not accept remote connections, and only accepts shared printer information from the local subnet. When you share printers and/or enable remote administration, you expose your system to potential unauthorized access. This help page provides an analysis of possible CUPS security concerns and describes how to better secure your server.
When you enable remote administration, the server will use Basic authentication for administration tasks. The current CUPS server supports Basic, Kerberos, and local certificate authentication:
Since CUPS uses the system username and password account information, the authentication information could be used to gain access to possibly privileged accounts on the server.
Recommendation: Enable encryption to hide the username and password information - this is the default on macOS and systems with GNU TLS installed.
Because certificates are only available on the local system, the CUPS server does not accept local authentication unless the client is connected to the loopback interface (127.0.0.1 or ::1) or domain socket.
Recommendation: Ensure that unauthorized users are not added to the system group(s).
When printer sharing or remote administration is enabled, the CUPS server, like all Internet services, is vulnerable to a variety of denial of service attacks:
This cannot be protected against by any known
can be used to configure CUPS to limit the number of
connections allowed from a single host, however that does
not prevent a distributed attack.
Recommendation: Limit access to trusted systems and networks.
There is no easy way of protecting against this in the CUPS software. If the attack is coming from outside the local network, it may be possible to filter such an attack. However, once the connection request has been received by the server it must at least accept the connection to find out who is connecting.
The current code will wait up to 1 second before timing out the partial value and closing the connection. This will slow the server responses to valid requests and may lead to dropped browsing packets, but will otherwise not affect the operation of the server.
Recommendation: Block IPP packets from foreign or untrusted networks using a router or firewall.
There are limited facilities for protecting against
large print jobs (the
attribute), however this will not protect printers from
malicious users and print files that generate hundreds or
thousands of pages.
Recommendation: Restrict printer access to known hosts or networks, and add user-level access controls as needed for expensive printers.
CUPS supports 128-bit TLS encryption of network connections via the GNU TLS library, macOS Security framework, and Windows Schannel APIs. Secure deployment of TLS depends on proper certificate management and software maintenance.