CUPS vulnerabilities could be abused for DDoS attacks
While the Common UNIX Printing System (CUPS) vulnerabilities recently disclosed by researcher Simone “evilsocket” Margaritelli are not easily exploited for remote command execution on vulnerable systems, they could offer more opportunity to attackers who engage in DDoS attacks, Akamai threat researchers have discovered.
Potential for RCE
CUPS is an open-source printing system based on the Internet Printing Protocol (IPP). While present on many Linux, BSD and other systems, CUPS is not enabled by default on many of them.
Four vulnerabilities – CVE-2024-47176, CVE-2024-47076, CVE-2024-47175 and CVE-2024-47177 – in various CUPS components can be chained to execute commands remotely when a user launches a print job on an added malicious printer, Margaritelli discovered.
Following a partial release of fixes by the CUPS maintainers, various distros have released or are preparing to push out fixed packages. And while several PoC exploits have already been made public, in-the-wild exploitation has yet to be detected.
Potential for DDoS
The reported vulnerabilities may be exploited to turn vulnerable systems into “amplifiers” by sending a specially crafted UDP packet to a vulnerable instance of CUPS,” Akamai researchers have found.
Attack flow (Source: Akamai)
Instead of instructing CUPS to add a malicious printer, the packet instructs it to send an IPP/HTTP request to the target and port specified by the attacker.
“For each packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target. As a result, not only is the target affected, but the host of the CUPS server also becomes a victim, as the attack consumes its network bandwidth and CPU resources.”
The size of the DDoS-aimed traffic depends on the size of the payload in UDP packet, the availability of vulnerable systems, and how they respond to the request.
Akamai’s Security Intelligence and Response Team says that there are over 58,000 internet-connected vulnerable devices that could be abused for amplifying DDoS attacks.
“If we assume all 58,000+ identified CUPS hosts were corralled into the same campaign, it could result in a deluge of 1 GB of incoming attack traffic per UDP packet from the minimally padded example. A maximally padded scenario could result in a 6-GB flood of traffic,” they calculated.
As the effect of such an attack can be felt both by targets and the organizations running vulnerable CUPS installations, the researchers urged the latter to either update to the latest version of CUPS or remove the service if they don’t need it.
“At the very least, if removing or updating the CUPS software isn’t viable, defenders should firewall the service ports (UDP/631), especially if they’re accessible from the broader internet,” they advised.
UPDATE (October 9, 2024, 04:20 a.m. ET):
Security researcher Marcus Hutchins has developed a scanner for finding vulnerable cups-browsed instances on one’s local network.