A recent discovery has revealed that the vulnerabilities in the Common Unix Printing System (CUPS) can be exploited not only for remote code execution but also for launching massive distributed denial-of-service (DDoS) attacks in seconds and at a minimal cost. This revelation has shed light on the potential risks posed by these vulnerabilities, with attackers capable of leveraging them to inflict significant damage.
The vulnerability in CUPS enables attackers to easily co-opt around 58,000 Internet-exposed devices into launching a barrage of connection attempts and requests at target systems. By sending a small request to each vulnerable CUPS host, an attacker can direct between 1GB and 6GB of useless data to the target system. While these bandwidth numbers may not seem substantial, they could overwhelm the target with millions of TCP connections and HTTP requests, as highlighted by researchers at Akamai.
CUPS, an Internet Printing Protocol (IPP)-based open-source printing system, is widely used in Unix-like operating systems such as Linux and macOS. Independent security researcher Simone Margaritelli recently disclosed a serious flaw in CUPS that could allow attackers to execute malicious commands remotely by exploiting four vulnerabilities, including those in components like “cups-browsed” and libraries like “libcupsfilters.”
While Margaritelli’s research focused on the remote code execution aspect of the vulnerabilities, Akamai uncovered the potential for launching DDoS attacks using the same flaws. By manipulating a packet to specify the target’s address as a printer to be added, an attacker can trigger the vulnerable CUPS server to generate IPP/HTTP requests directed at the target. According to Akamai, launching a DDoS attack using this method requires just a single packet sent to a vulnerable CUPS service with Internet connectivity.
Kyle Lefton, a security researcher at Akamai, highlighted the ease with which threat actors could exploit the DDoS vulnerability compared to the more complex remote code execution exploit. He emphasized the need for organizations to patch outdated CUPS systems or deploy mitigation techniques to prevent potential attacks. Akamai identified around 198,000 vulnerable CUPS hosts accessible on the Internet, of which over 58,000 are susceptible to being utilized in DDoS attacks.
Larry Cashdollar, principal security researcher at Akamai, noted that the effectiveness of a CUPS host’s vulnerability to DDoS attacks depends on its configuration. Network administrators may have additional firewalls in place or have implemented hardening measures to safeguard their systems against such threats.
Furthermore, the strain on server hardware caused by DDoS attacks poses additional challenges for organizations running vulnerable CUPS systems. The attacks not only disrupt the targeted systems but also exert pressure on the server hardware due to processing encrypted traffic. As organizations continue to face the growing threat of DDoS attacks, implementing robust protective measures and mitigation strategies remains crucial in safeguarding against potential risks.
The rise in DDoS attacks, as illustrated by recent statistics from Cloudflare showing a significant increase in attacks mitigated over the past year, underscores the importance of addressing vulnerabilities in systems like CUPS. With threat actors gaining access to advanced tools and technologies, organizations must remain vigilant and proactive in defending against evolving cyber threats.