The Common UNIX Printing System (CUPS) vulnerabilities recently unveiled by researcher Simone “evilsocket” Margaritelli may not pose an immediate threat of remote command execution on vulnerable systems, but Akamai threat researchers have now uncovered a potential avenue for attackers looking to engage in Distributed Denial of Service (DDoS) attacks.
CUPS, an open-source printing system reliant on the Internet Printing Protocol (IPP), is not enabled by default on many Linux, BSD, and other systems where it is present. Margaritelli identified four vulnerabilities – CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177 – within various CUPS components that could be exploited to remotely execute commands when a user initiates a print job on a compromised printer.
In response to Margaritelli’s disclosures, the CUPS maintainers have released partial fixes, prompting various distributions to issue or prepare patched packages. Despite the availability of proof-of-concept exploits, there have been no reported instances of active exploitation in the wild.
Akamai researchers have now raised concerns over the potential misuse of these vulnerabilities to transform vulnerable systems into amplifiers for DDoS attacks. By sending a specially crafted UDP packet to a susceptible CUPS instance, attackers could trigger the generation of excessive traffic towards a target specified in the packet. This process can overwhelm both the target system and the host running the compromised CUPS server, taxing their network bandwidth and CPU resources.
The magnitude of the DDoS traffic generated hinges on factors such as the payload size in the UDP packet, the prevalence of vulnerable systems, and their response to the attacker’s instructions. Akamai’s Security Intelligence and Response Team has identified over 58,000 internet-connected devices with exploitable CUPS instances that could be leveraged to intensify DDoS assaults.
Should all identified vulnerable CUPS hosts be enlisted in a coordinated attack, Akamai estimates that the resulting traffic influx could range from 1 GB to 6 GB per UDP packet. Given the disruptive impact on targets and organizations operating vulnerable CUPS installations, the researchers advise immediate action to mitigate the risk. Updating to the latest CUPS version or disabling the service if unnecessary are recommended courses of action. Alternatively, network administrators are encouraged to implement firewall restrictions on service ports (UDP/631), particularly if these ports are accessible from external networks.
As organizations grapple with the evolving threat landscape, proactive steps to safeguard against potential exploits like the CUPS vulnerabilities are crucial to fortifying their cybersecurity defenses and thwarting malicious actors aiming to disrupt operations through DDoS attacks. Stay tuned for further developments as security experts continue to monitor and address emerging threats in the digital realm.