DDoS attacks can be amplified by CUPS flaw

RCE is not the only way to abuse the recently-uncovered CUPS flaw

News By Sead Fadilpašić published 4 October 2024

The recently-revealed Common UNIX Printing System (CUPS) security flaw may be even worse than expected following new claims it can be abused to amplify distributed denial of service (DDoS) attacks.

Researchers from Akamai have claimed the attacks can have an amplification factor of 600x - for an average attack, a worrying prospect for victims everywhere.

CUPS is an open-source printing system developed by Apple for Unix-like operating systems, including Linux and macOS. It provides a standardized way to manage print jobs and queues, supporting both local and network printers. CUPS uses the Internet Printing Protocol (IPP) as its primary protocol, allowing seamless printer discovery and job submission across networks. It also includes a web-based interface for managing printers, print jobs, and configurations.

Infinite loop

CUPS was recently revealed to possess four flaws: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177, and when chained, these can allow threat actors to create fake, malicious printers, which CUPS can discover. The only thing the crooks need to do is send a specially crafted packet to trick the CUPS server. The moment a user tries to print something using this new device, a malicious command gets executed locally on their device.

Akamai’s experts, on the other hand, claim that each packet sent to flawed CUPS servers makes them generate larger IPP/HTTP requests, aiming at the targeted device. As a result, both CPU and bandwidth resources get eaten up, in classic DDoS fashion. Their research determined that there are almost 200,000 internet-exposed devices, out of which almost 60,000 can be leveraged for DDoS campaigns.

In extreme cases, CUPS servers will continue to send requests, entering an infinite loop.

"In the worst-case scenario, we observed what appeared to be an endless stream of attempted connections and requests as a result of a single probe. These flows appear to have no end, and will continue until the daemon is killed or restarted," Akamai explained. "Many of these systems we observed in testing established thousands of requests, sending them to our testing infrastructure. In some cases, this behavior appeared to continue indefinitely."

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors