Q Is PaperCut impacted by the Shellshock vulnerability?
We have detailed information on this subject on our dedicated GNU Bash Vulnerability page.
Q Is PaperCut affected by the SSL/TLS “FREAK” attack (CVE-2015–0204)?
The “FREAK” attack allows a malicious man-in-the-middle to downgrade the strength of encryption used. This vulnerability applies to some SSL/TLS implementations. PaperCut uses recent versions of the Java platform which is not vulnerable to the FREAK attack.
Customers running versions prior to version 14 should upgrade their servers as these later versions contain a more recent version of Java.
Q Is PaperCut affected by the SSL 3.0 “Poodle” vulnerability (otherwise known as CVE-2014–3566)?
SSL 3.0 is an older protocol, now superseded by TLS. It will generally only be used when both the web server and the client cannot use a more recent TLS protocol. These days, this scenario is becoming less and less common. For example, users would need to be on a browser no more recent than Internet Explorer 6. It is possible, however that a man-in the middle attacker could intercept the protocol negotiation and force a downgrade to SSL 3.0.
In the case of HTTPS connections to the the PaperCut server, TLS is always used if the client permits, however SSL 3.0 will be negotiated if TLS is not supported by the client.
Some customers may prefer to prevent the PaperCut server from accepting SSL 3.0 incoming connections altogether. This may be achieved using any build above PaperCut NG & MF 14.3 build (29819). Add the following line to your
server.properties file and restart the application server:
Take care and test thoroughly if you are running a fleet of MFD devices with PaperCut MF. Whilst some MFD’s do not support all TLS versions, most will support TLS v1.0. It is possible that some older MFD’s may require SSL 3.0 and the above configuration change will block HTTPS connections from these devices.
More information on Poodle, can be found here:
Q Is PaperCut affected by the OpenSSL “Heartbleed” vulnerability (otherwise known as CVE-2014–0160)?
Neither PaperCut MF nor PaperCut NG is affected by the Heartbleed issue, as neither product uses OpenSSL libraries. The PaperCut.com website is also not impacted as it uses a version of OpenSSL that does not contain the vulnerability.
We do suggest using a standalone OpenSSL utility in some cases for key and certificate generation. This utility is not impacted by the Heartbleed vulnerability.
There is more general information about Heartbleed here: http://heartbleed.com/
Q Does PaperCut store any passwords?
User authentication is performed by the operating system - usually via a directory service such as Active Directory or LDAP. PaperCut does not store any user passwords and instead interrogates the directory service in real-time. Caching or storing passwords is regarded as a security risk. The only exceptions to this rule are the built-in admin user account and PaperCut internal accounts.
The built-in admin password is stored in a one-way salted hashed format in the
server.properties file. This account is kept separate from the directory user accounts ensuring that administrator level login is still possible even during a directory outage.
Internal user passwords are stored in the PaperCut database as a one-way hash in line with security best practice - a BCrypt sum factored from a combination of username + password + a salt. This use of a secure one-way hash ensures that users’ passwords are kept private even if someone has access to the PaperCut database.
In addition PaperCut also encrypts all user’s Personal Identification Numbers used to secure card numbers.
Q How does PaperCut authenticate with Active Directory?
Communication between the PaperCut server and Active Directory (AD) is provided and secured by the Windows operating system. PaperCut calls the AD API on the local Windows system, and the PaperCut software does not collect passwords over the network to any remote server, as this is handled by AD itself.
PaperCut does not store any user passwords and instead interrogates the directory service in real-time, as caching or storing passwords is regarded as a security risk. The only exceptions to this rule are the built-in admin user account and PaperCut internal accounts which is covered above.
Q What level of encryption does PaperCut use?
Client-server communication of sensitive data is conducted over an SSL link - this is an equivalent level of encryption to that used by a web browser connected on an https:// website.
Q A security analysis tool (e.g. a PCI Compliance Scan) is reporting that PaperCut is configured to accept weak ciphers. How can I address this?
This topic is addressed in detail in the knowledge base article: SSL Cipher Configuration - removing weak ciphers.
Q I am going to use Popup Authentication. What should I consider?
Popup-authentication is an auxiliary authentication method and in general should not be used in preference to a protocol-level authentication system. Popup authentication (IP session based authentication) and it’s security considerations are discussed in detail in the KB article Considerations When Using Popup Authentication.
Q Does PaperCut use HtmlOnly secured cookies?
Yes. As of version 11.2 all session ID information stored in copies are marked as HtmlOnly to help mitigate the risk associated with some XSS attacks.
Q Can I open port 9191/9192 to the world?
Best practice suggests not exposing any services to the Internet unless required. Having said that, we have designed PaperCut to be secure and with the intention of our users opening the HTTPS port 9192 to the Internet to facilitate services such as:
- Remote administration
- Allowing end-users to login from home to check balances and add credit/quota to their accounts
We have a number of large University/College sites that have opened up PaperCut’s port to the Internet since 2005. It is recommended to open port 9192 (the SSL port) rather than the plain text port 9191.
Q Is PaperCut and associated executable given minimum permission needed for operation? Is the concept of least privilege upheld?
Yes. On Windows, Mac, Novell and Linux PaperCut has been designed to run under non-privilege accounts. Key security processes on Linux that need to be run with elevated privileges such as those used for user authentication are run “out of process” so this higher privileges rights are isolated at the process level. On Windows, PaperCut’s runs it’s main process as the SYSTEM account with local access only (no network resource access).
Q How can I restrict access to the XML Web Service APIs?
Two levels of access control is provided for the web services APIs. The first is that any call needs to pass a valid authentication token (usually the built-in admin user’s password). All calls not passing this will be rejected. The 2nd level of security is IP address level filtering. By default PaperCut will only allow calls from
localhost (127.0.0.1), and optionally this can be extended to other servers by manually granting that server’s IP address. Valid IP addresses/ranges are defined under the Options section.
Q I’ve run a security scanner across PaperCut and it’s raised a warning. What does this mean?
PaperCut is in use in tens-of-thousands of organizations and many of them use various security analysis and scanning tools. If the issue raised is marked as “high”, please raise these with our support team. Many of these systems raise issues not pertinent to PaperCut and it’s print management application, however we like to assess all on a case-by-case basis and will let you know if our developers think they require action.
Q Are administrator activities audited?
Yes. As a general rule most major operations such as editing printer details, creating/deleting/modifying user accounts are audited. These audit records appear in the App. Log with a date, details and the user who performed the operation. Having said that, a full level system administrator with read/write file access could in theory edit data files directory to modify the audit trail. Standard limited-rights PaperCut-only administrators access via the web interface can not modify these records.
Q Is PaperCut certified under security standard XYZ?
Formal security certification is a new and emerging industry. PaperCut is already developed in line with leading security guidelines and practices (see Tell me about PaperCut’s security). As formal standards emerge and if there is user demand, we will consider formal certification. At the current time, we don’t have any concrete intentions. Issues such as our release-often policy and the fact that many certification standards focus on the installed setup rather than the product itself make certification difficult (e.g. PCI DSS).
Q Is PaperCut PCI Certified?
PaperCut itself does not handle any credit card transactions directly and hence PCI certification is not required/not appropriate for PaperCut itself. PaperCut interfaces with 3rd party payment gateways to handle credit card transactions (e.g. PayPal, CyberSource, Authorize.Net, etc.) and all credit card gateways/providers supported by PaperCut are PCI DSS certified. When a user makes a payment they are directed through to the providers “hosted pay page” and credit card details are entered on their website directly. Please follow this link for more detail on PaperCut and PCI DSS v3.
Q Is PaperCut susceptible to SQL Injection attacks?
Our coding standard and design policies are designed to limit this type of attack. All database queries in PaperCut are developed using parameterized SQL. This means that PaperCut never directly builds the SQL statement using data provided by the user (e.g. search terms entered in fields). All SQL parameters are handled by the underlying database library which means that PaperCut is not susceptible to SQL injection attacks.
Q What about the security of any 3rd party libraries and components used by PaperCut?
PaperCut makes use of a number of third party libraries and components. The security of components is actively monitored by our development team and if any are raised, we assess the impact this may have. We take the topic of security for any 3rd component as serious as we do for our own code base. In some situations we have worked with the 3rd party vendors to address security issues. Another example of active 3rd party security management is the Ghost Trap project. This initiative was started by PaperCut and aims to bring best of breed security to the Ghostscript PDL interpreters.
Q Tell me about your security development practices?
More information here: Tell me about PaperCut’s security
Categories: Implementation / Deployment, Architecture, Security