National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report for PrinterLogic Web Stack Server Report Number: CCEVS-VR-VID11000-2019 Dated: November 27, 2019 Version: 1.0 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6740 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6740 ® TM VALIDATION REPORT PrinterLogic Web Stack Server ii Table of Contents 1 Executive Summary...................................................................................................................2 2 Identification..............................................................................................................................4 2.1 Threats ..............................................................................................................................4 2.2 Assumptions......................................................................................................................4 2.3 Organizational Security Policies.......................................................................................5 3 Architectural Information ..........................................................................................................6 4 Clarification of Scope ................................................................................................................7 5 Security Policy...........................................................................................................................8 5.1 Cryptographic Support......................................................................................................8 5.2 User Data Protection.........................................................................................................8 5.3 Security Management .......................................................................................................8 5.4 Privacy ..............................................................................................................................8 5.5 Protection of the TSF........................................................................................................8 5.6 Trusted Path/Channels......................................................................................................9 6 Documentation.........................................................................................................................10 7 Independent Testing.................................................................................................................11 7.1 Penetration Testing .........................................................................................................13 8 Evaluated Configuration ..........................................................................................................14 9 Results of the Evaluation .........................................................................................................15 10 Validator Comments/Recommendations .................................................................................16 11 Annexes 17 12 Security Target.........................................................................................................................18 13 Abbreviations and Acronyms ..................................................................................................19 14 Bibliography ............................................................................................................................20 VALIDATION REPORT PrinterLogic Web Stack Server List of Tables Table 1: Evaluation Details............................................................................................................. 3 Table 2: ST and TOE Identification................................................................................................ 4 Table 3 TOE Security Assurance Requirements .......................................................................... 15 List of Figures Figure 1 TOE Architecture.......................................................................................................... 6 Figure 2 Test Configuration.......................................................................................................... 12 VALIDATION REPORT PrinterLogic Web Stack Server 2 1 Executive Summary This report is intended to assist the end-user of this product and any security certification agent for that end- user in determining the suitability of this Information Technology (IT) product for their environment. End- users should review the Security Target (ST), which is where specific security claims are made, in conjunction with this Validation Report (VR), which describes how those security claims were evaluated and tested and any restrictions on the evaluated configuration. Prospective users should read carefully the Assumptions and Clarification of Scope in Section 4 and the Validator Comments in Section 10, where any restrictions on the evaluated configuration are highlighted. This report documents the National Information Assurance Partnership (NIAP) assessment of the evaluation of the PrinterLogic Web Stack Server 18.3. It presents the evaluation results, their justifications, and the conformance results. This VR is not an endorsement of the Target of Evaluation (TOE) by any agency of the U.S. Government and no warranty of the TOE is either expressed or implied. This VR applies only to the specific version and configuration of the product as evaluated and as documented in the ST. The evaluation of PrinterLogic Web Stack Server was performed by Leidos Common Criteria Testing Laboratory (CCTL) in Columbia, Maryland, in the United States and was completed in November 2019. The evaluation was conducted in accordance with the requirements of the Common Criteria and Common Methodology for IT Security Evaluation (CEM), version 3.1, revision 5 and assurance activities specified in Protection Profile for Application Software, Version 1.3, 1 March 2019. The evaluation was consistent with NIAP Common Criteria Evaluation and Validation Scheme (CCEVS) policies and practices as described on their web site (www.niap-ccevs.org). The Leidos evaluation team determined that PrinterLogic Web Stack Server is conformant to the claimed Protection Profile (PP) and, when installed, configured and operated as specified in the evaluated guidance documentation, satisfies all of the security functional requirements stated in the ST. The information in this VR is largely derived from the Assurance Activities Report (AAR) and associated test report produced by the Leidos evaluation team. PrinterLogic Web Stack Server is a product that provides centralized services for user installation of print drivers as well as pull printing and cloud printing functionality. PrinterLogic Web Stack Server can be used to centrally manage direct IP printing. Printers can be added, modified (e.g. driver, port, name, duplex option), and removed from a centralized Admin Console. These changes are then provisioned to individual PrinterLogic Web Stack Client (PL Client) applications installed on user workstations in the operational environment. End users are provided a Self-Service Portal where they can install additional print drivers above and beyond those provisioned for them. They are also provided a Release Portal where held pull print jobs can be released to a selected printer. Authorizations are based on Active Directory attributes, so users may be given access (or the ability to gain access) to different printers based on role, geographic location, or other attributes. PrinterLogic Web Stack Server is evaluated as a software application only. PrinterLogic Web Stack Server contains functionality that is not covered by Protection Profile for Application Software. As with all evaluations claiming conformance to a NIAP-approved protection profile, only the functionality specified in the ST is evaluated. The validation team monitored the activities of the evaluation team, examined evaluation evidence, provided guidance on technical issues and evaluation processes, and reviewed the evaluation results produced by the evaluation team. The validation team found that the evaluation results showed that all assurance activities specified in the claimed PPs had been completed successfully and that the product satisfies all of the security functional and assurance requirements stated in the ST. Therefore the validation team concludes that the testing laboratory’s findings are accurate, the conclusions justified, and the VALIDATION REPORT PrinterLogic Web Stack Server 3 conformance results are correct. The conclusions of the testing laboratory in the evaluation technical report are consistent with the evidence produced. Table 1: Evaluation Details Item Identifier Evaluated Product PrinterLogic Web Stack Server version 18.3 Sponsor & Developer PrinterLogic, LLC 912 West 1600 South St. George, UT 84770 CCTL Leidos Common Criteria Testing Laboratory 6841 Benjamin Franklin Drive Columbia, MD 21046 Completion Date November 2019 CC Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017 CEM Common Methodology for Information Technology Security Evaluation: Version 3.1, Revision 5, April 2017 PP Protection Profile for Application Software, Version 1.3, 01 March 2019 Disclaimer The information contained in this Validation Report is not an endorsement either expressed or implied of PrinterLogic Web Stack. Evaluation Personnel Pascal Patin Validation Personnel Jim Donndelinger Patrick Mallett VALIDATION REPORT PrinterLogic Web Stack Server 4 2 Identification The CCEVS is a joint National Security Agency (NSA) and National Institute of Standards and Technology (NIST) effort to establish commercial facilities to perform trusted product evaluations. Under this program, security evaluations are conducted by commercial testing laboratories called Common Criteria Testing Laboratories (CCTLs) in accordance with National Voluntary Laboratory Assessment Program (NVLAP) accreditation. The NIAP Validation Body assigns Validators to monitor the CCTLs to ensure quality and consistency across evaluations. Developers of information technology products desiring a security evaluation contract with a CCTL and pay a fee for their product’s evaluation. Upon successful completion of the evaluation, the product is added to NIAP’s Product Compliant List (PCL). The following table identifies the evaluated Security Target and TOE. Table 2: ST and TOE Identification Name Description ST Title PrinterLogic Web Stack Server version 18.3 Security Target ST Version 1.0 Publication Date November 27, 2019 Vendor PrinterLogic ST Author Leidos TOE Reference PrinterLogic Web Stack TOE Software Version 18.3 Keywords Application 2.1 Threats The ST references the Protection Profile for Application Software, Version 1.3, 1 March 2019. The protection profile identifies the following threats, which the TOE and its operational environment are intended to counter:  An attacker is positioned on a communications channel or elsewhere on the network infrastructure. Attackers may engage in communications with the application software or alter communications between the application software and other endpoints in order to compromise it.  An attacker is positioned on a communications channel or elsewhere on the network infrastructure. Attackers may monitor and gain access to data exchanged between the application and other endpoints.  An attacker can act through unprivileged software on the same computing platform on which the application executes. Attackers may provide maliciously formatted input to the application in the form of files or other local communications.  An attacker may try to access sensitive data at rest. 2.2 Assumptions  The TOE relies upon a trustworthy computing platform for its execution. This includes the underlying platform and whatever runtime environment it provides to the TOE. VALIDATION REPORT PrinterLogic Web Stack Server 5  The user of the application software is not willfully negligent or hostile, and uses the software in compliance with the applied enterprise security policy.  The administrator of the application software is not careless, willfully negligent or hostile, and administers the software within compliance of the applied enterprise security policy. 2.3 Organizational Security Policies There are no Organizational Security Policies defined for the application in the PP. VALIDATION REPORT PrinterLogic Web Stack Server 6 3 Architectural Information The section describes the TOE architecture including physical and logical boundaries. Figure 1 shows the TOE in relation to its operational environment. Figure 1 TOE Architecture The PrinterLogic Web Stack TOE consists of the following component:  Web Server – a PHP application hosted on IIS The TOE consists of three subsystems: an Admin Console, which provides a graphical user interface (GUI) for administrative functions; a Self-Service Portal, which provides a GUI for end user configuration functions; a Release Portal, which provides a GUI for end users to release held pull print jobs; and a print management client configuration subsystem, which handles the storage and application of configuration settings. The TOE includes the following running processes:  CGI/FastCGI  PrinterLogic Web Stack Client Interface  PrinterLogic Web Stack Client Launcher  PrinterLogic Web Stack Client Manager VALIDATION REPORT PrinterLogic Web Stack Server 7 4 Clarification of Scope All evaluations (and all products) have limitations, as well as potential misconceptions that need clarifying. This text covers some of the more important limitations and clarifications of this evaluation. Note that: 1. As with any evaluation, this evaluation only shows that the evaluated configuration meets the security claims made, with a certain level of assurance (the assurance activities specified in the claimed PPs and performed by the evaluation team). 2. This evaluation covers only the specific software version identified in this document, and not any earlier or later versions released or in process. 3. The evaluation of security functionality of the product was limited to the functionality specified in the claimed PPs and scoped to those Security Functional Requirements (SFRs) declared in the ST. Any additional security related functional capabilities of the product were not covered by this evaluation. 4. This evaluation did not specifically search for, nor attempt to exploit, vulnerabilities that were not “obvious” or vulnerabilities to objectives not claimed in the ST. The CEM defines an “obvious” vulnerability as one that is easily exploited with a minimum of understanding of the TOE, technical sophistication and resources. 5. The following TOE functionality is specifically excluded in the ST and therefore outside the scope of this evaluation:  Installation of print drivers on client PCs.  Transmission of print job data from host platforms to target printers or other parts of the TOE operational environment.  Configuration of network settings and email servers that allow print data to be received by the TOE. VALIDATION REPORT PrinterLogic Web Stack Server 8 5 Security Policy The TOE enforces the following security policies as described in the ST. 5.1 Cryptographic Support The TOE uses NIST-validated cryptographic algorithms to secure data in transit. The TOE relies on the FIPS-validated cryptographic library cng.sys provided by Windows to perform cryptographic functionality. The TSF encrypts credential data stored by the TOE in the environmental SQL database. The TOE relies on its underlying OS platform to implement TLS/HTTPS server functionality. The TOE also relies on its underlying OS platform to provide entropy used for key generation. 5.2 User Data Protection The TSF leverages functionality provided by their underlying OS platform to secure sensitive data at rest. The TOE uses network resources provided by the underlying platform. All platform services are invoked with user awareness and authorization. The TOE uses network connectivity to handle interactive user and administrator sessions and to communicate with environmental PL Clients for the purpose of applying configuration changes and updating the status of held print jobs. 5.3 Security Management The Web Server provides an Admin Console GUI for configuration of environmental PL Client activity. Specifically, an administrator can designate a PL Client as a Service Host and configure it to work with email printing and mobile printing, thus defining the trusted channels used by a PL Client. The Web Server also provides Self-Service Portal and Release Portal GUIs that allow users to control printing activity. The Release Portal is used to release print jobs, which prompts secure communications back to environmental PL Clients (Service Hosts) to initiate the print operation. Authentication to the Web Server is performed using locally-defined credentials. On initial installation, the administrator is prompted to specify credentials to be used for the Admin Console. TOE configuration data is stored locally in the Windows Registry. 5.4 Privacy The TOE does not handle personally identifiable information (PII). 5.5 Protection of the TSF The TOE includes measures to integrate securely with its underlying OS platform. The TOE does not perform explicit memory mapping and it does not allocate any memory region with both write and execute permissions. Similarly, the TSF does not write user-modifiable data to directories that contain executable files. The TOE is compatible with its host OS platform when that platform is configured in a secure manner. The TOE is not written in a language that is susceptible to stack-based buffer overflow attacks. The TOE uses a well-defined set of platform APIs and third party libraries. The TOE provides the ability for a user/administrator to check its version and to apply updates. Updates are delivered in formats appropriate for the platform on which the TOE is installed. Application of an update VALIDATION REPORT PrinterLogic Web Stack Server 9 removes all executable code associated with the application; there is no way for the application to modify its own code. Updates the TOE are digitally signed, and the signature is validated prior to installation. 5.6 Trusted Path/Channels TOE components use trusted paths and channels to secure data in transit. The following interfaces are provided by each TOE component:  Web Server: o TLS/HTTPS server for remote user/administrator access o TLS/HTTPS server for changes to PL Client configuration data and pull printing status VALIDATION REPORT PrinterLogic Web Stack Server 10 6 Documentation PrinterLogic provides the following documents that provide information and guidance for the deployment of the TOE: PrinterLogic Web Stack Server Common Criteria Assurance Activities Report, Version 1.0, 27 November 2019 PrinterLogic Web Stack version 18.3 Common Criteria Supplemental Guidance, Version 1.0, 23 October 2019 VALIDATION REPORT PrinterLogic Web Stack Server 11 7 Independent Testing This section describes the testing efforts of the evaluation team. It is derived from information contained in the following:  PrinterLogic Web Stack Server Common Criteria Assurance Activities Report, Version 1.0, 27 November 2019 The purpose of this activity was to confirm the TOE behaves in accordance with the TOE security functional requirements as specified in the ST for a product claiming conformance to the Protection Profile for Application Software, Version 1.3, 1 March 2019. To this end, the evaluation team devised a Test Plan based on the Testing Assurance Activities specified in the above-referenced Protection Profile. The Test Plan described how each test activity was to be instantiated within the TOE test environment. The evaluation team executed the tests specified in the Test Plan and documented the results in the team test report listed above. Testing of the TOE was performed in the summer of 2019 at Leidos’s Accredited Test & Evaluation lab. The evaluators received the TOE in the form that normal customers would receive it, installed and configured the TOE in accordance with the provided guidance, and exercised the Team Test Plan on equipment configured in the testing laboratory. For the purposes of testing, the configuration depicted in Figure 2 was used for testing the TOE. Note that the TOE was tested in conjunction with VID11057. These two products are designed to function together in a production environment, although the TOE was demonstrated to meet all mandatory PP requirements as a standalone product. VALIDATION REPORT PrinterLogic Web Stack Server 12 Figure 2 Test Configuration As documented in the diagram above, the following hardware and software components were included in the evaluated configuration during testing: TOE  PrinterLogic Web Stack Windows Server Component Additional Components  PrinterLogic Web Stack Windows Client Component  PrinterLogic Web Stack Linux Client Component  PrinterLogic Web Stack Mac Client Component  Linux Test Computer running the following OS, programs and services: o Kali Linux 2019.2 rolling release o NIAP provided TLS test server tool, modified by Leidos, updated as of March 1, 2019 VALIDATION REPORT PrinterLogic Web Stack Server 13 o Leidos TLS test server tool, updated as of March 1, 2019 o OpenSSL 1.1.0 o XCA Certificate Authority 1.4.1 o OpenLDAP 2.4.46 o Wireshark 2.4.4  Active Directory Server running Windows Server 2012 R2 Given the complete set of test results from the test procedures exercised by the evaluators, the testing requirements for the Protection Profile for Application Software, Version 1.3, 1 March 2019 are fulfilled. 7.1 Penetration Testing The evaluation team conducted an open-source search for vulnerabilities in the product. The evaluator searched the internet for potential vulnerabilities in the TOE using the following sources of the publicly available information:  http://nvd.nist.gov  http://www.us-cert.gov  http://securityfocus.com The search was conducted using the following terms:  PrinterLogic  Printer Installer  TLS 1.2  OpenSSL 1.0.2h Note: In October 2019 PrinterLogic began the process of rebranding their product as PrinterLogic Web Stack which was a change from their old Printer Installer name. A vulnerability search was still conducted on Printer Installer because any vulnerabilities found prior to the fall of 2019 would have been listed under that name. Additionally, a search for PrinterLogic should cover any vulnerabilities listed under PrinterLogic Web Stack. The search was performed on September 6, 2019 and updated to check for new vulnerabilities on October 22, 2019. The open-source search did not identify any vulnerability applicable to the TOE in its evaluated configuration. No additional testing was required to verify the vulnerabilities were mitigated. VALIDATION REPORT PrinterLogic Web Stack Server 14 8 Evaluated Configuration The evaluated version of the TOE is PrinterLogic Web Stack v18.3. The TOE must be deployed as described in section 4 Assumptions of this document and must be configured in accordance with PrinterLogic Web Stack version 18.3 Common Criteria Supplemental Guidance, Version 1.0, 23 October 2019. The following TOE components were installed as part of the evaluated TOE configuration, or as part of a separate PrinterLogic product being evaluated in parallel:  PrinterLogic Web Stack Windows Server installed on Windows Server 2012 R2  PrinterLogic Web Stack Windows Client installed on Windows 10  PrinterLogic Web Stack Linux Client installed on Ubuntu 16.04  PrinterLogic Web Stack Mac Client installed on Mac OS 10.13 An Active Directory server running Windows Server 2012 R2 and a test computer with penetration testing tools and a TLS test server were also part of the operating environment. Per NIAP Publication #6 (https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/scheme-pub- 6.pdf), user installation of vendor-delivered bug fixes and security patches is encouraged between completion of the evaluation and the Assurance Maintenance Date. The product is still considered by NIAP to be in its evaluated configuration. VALIDATION REPORT PrinterLogic Web Stack Server 15 9 Results of the Evaluation The evaluation was conducted based upon the assurance activities specified in the Protection Profile for Application Software, Version 1.3, 1 March 2019. A verdict for an assurance component is determined by the resulting verdicts assigned to the corresponding evaluator action elements. The validation team’s assessment of the evidence provided by the evaluation team is that it demonstrates that the evaluation team performed the assurance activities in the claimed PPs, and correctly verified that the product meets the claims in the ST. The details of the evaluation are recorded in the Evaluation Technical Report (ETR), which is controlled by the Leidos CCTL. The security assurance requirements are listed in the following table. Table 3 TOE Security Assurance Requirements Assurance Component ID Assurance Component Name ASE_CCL.1 Conformance Claims ASE_ECD.1 Extended Components Definition ASE_INT.1 ST Introduction ASE_OBJ.1 Security Objectives ASE_REQ.1 Security Requirements ASE_TSS.1 TOE Summary Specification ADV_FSP.1 Basic Functional Specification AGD_OPE.1 Operational User Guidance AGD_PRE.1 Preparative Procedures ALC_CMC.1 Labeling of the TOE ALC_CMS.1 TOE CM Coverage ALC_TSU_EXT.1 Timely Security Updates ATE_IND.1 Independent Testing – Conformance AVA_VAN.1 Vulnerability Survey VALIDATION REPORT PrinterLogic Web Stack Server 16 10 Validator Comments/Recommendations The validation team notes that the evaluated configuration is dependent upon the TOE being configured per the evaluated configuration instructions in the PrinterLogic Web Stack version 18.3 Common Criteria Supplemental Guidance, Version 1.0, 23 October 2019. document. No versions of the TOE and software, either earlier or later were evaluated. Please note that the functionality evaluated is scoped exclusively to the security functional requirements specified in the Security Target. Other functionality included in the product was not assessed as part of this evaluation. Other functionality provided by devices in the operational environment, such as the syslog server, need to be assessed separately and no further conclusions can be drawn about their effectiveness. VALIDATION REPORT PrinterLogic Web Stack Server 17 11 Annexes Not applicable VALIDATION REPORT PrinterLogic Web Stack Server 18 12 Security Target Name Description ST Title PrinterLogic Web Stack Server version 18.3 Security Target ST Version Version 1.0 Publication Date 27 November 2019 VALIDATION REPORT PrinterLogic Web Stack Server 19 13 Abbreviations and Acronyms AA Assurance Activity API Application Programming Interface ASLR Address Space Layout Randomization AES Advanced Encryption Standard CAVP Cryptographic Algorithm Validation Program CBC Cipher-Block Chaining CC Common Criteria for Information Technology Security Evaluation CEM Common Evaluation Methodology for Information Technology Security CPA Control Panel Application CRL Certificate Revocation List FIPS Federal Information Processing Standard GUI Graphical User Interface HMAC Hashed Message Authentication Code HTTP(S) Hypertext Transfer Protocol (Secure) IP Internet Protocol LDAPS Lightweight Directory Access Protocol Secure NIAP National Information Assurance Partnership NIST National Institute of Standards and Technology PL PrinterLogic Web Stack PII Publicly Identifiable Information PP Protection Profile RSA Rivest, Shamir and Adleman (algorithm for public-key cryptography) SAR Security Assurance Requirement SFR Security Functional Requirement SHA Secure Hash Algorithm SNMP Simple Network Management Protocol SQL Structured Query Language SSH Secure Shell SSL Secure Socket Layer Protocol ST Security Target TCP Transmission Control Protocol TLS Transport Layer Security TOE Target of Evaluation TSF TOE Security Functions XMPP Extensible Messaging and Presence Protocol VALIDATION REPORT PrinterLogic Web Stack Server 20 14 Bibliography The Validation Team used the following documents to produce this Validation Report: [1] Common Criteria for Information Technology Security Evaluation Part 1: Introduction, Version 3.1, Revision 5, April 2017. [2] Common Criteria for Information Technology Security Evaluation Part 2: Security Functional Components, Revision 5, April 2017. [3] Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance Components, Revision 5, April 2017. [4] Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. [5] PrinterLogic Web Stack Server version 18.3 Security Target, Version 1.0, 27 November 2019 [6] PrinterLogic Web Stack Common Criteria Test Report and Procedures, Version 1.3, 11 November 2019 [7] PrinterLogic Web Stack Server version 18.3 Common Criteria Assurance Activities Report, Version 1.0, 27 November 2019 [8] PrinterLogic Web Stack version 18.3 Common Criteria Supplemental Guidance Version 1.0, 23 October 2019