Akamai researchers have identified a critical vulnerability in the Common Unix Printing System (CUPS) that could allow malicious actors to initiate powerful distributed denial-of-service (DDoS) attacks with minimal resources. Approximately 58,000 exposed devices are potentially at risk, posing a serious threat to internet stability.
This discovery adds to the growing list of vulnerabilities in outdated technology that can be abused by malefactors. The Akamai team revealed that over 198,000 devices connected to the internet are vulnerable to this type of attack, with around 34% of these, or roughly 58,000 devices, susceptible to DDoS abuse.
Exploit Details and Impact
The exploit, first highlighted on 26 September by security researcher evilsocket, is based on a combination of four different vulnerabilities within CUPS. These vulnerabilities—tracked as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177—enable remote code execution (RCE) through the manipulation of Internet Printing Protocol (IPP) URLs.
Akamai’s researchers found that the CUPS service could respond to such a packet by generating an IPP/HTTP request directed at the attacker’s specified target. Not only does this impact the target, but it also consumes the bandwidth and resources of the compromised CUPS server, creating a dual-victim scenario.
Easy to Launch, Cheap to Sustain
According to Akamai, what is concerning is that minimal resources are needed to initiate a successful attack. “It would take an attacker mere seconds to co-opt every vulnerable CUPS service currently exposed on the internet and cost the attacker less than a single US cent on modern hyper scaler platforms.”
Hundreds of vulnerable devices tested by Akamai SIRT revealed continuous “infinite loop” request patterns in response to HTTP/404 responses, indicating the high potential for amplification.
The attack could be intensified using a crafted payload that directs CUPS to issue multiple requests, padding the payload to consume more bandwidth and resources. Researchers found that some servers could even complete Transport Layer Security (TLS) handshakes, adding additional resource strain.
Turning a Whisper into a Deafening Roar
“The CUPS vulnerability is akin to discovering a hidden amplifier in a seemingly ordinary speaker system,” comments Mayur Upadhyaya, CEO at APIContext. “ A tiny tap can turn a whisper into a deafening roar, overwhelming the surroundings. Similarly, this flaw magnifies even small signals, allowing attackers to unleash a torrent of traffic, drowning targeted systems.”
Upadhyaya says there are several implications. Firstly, the 600x amplification factor transforms even minor attacks into potentially devastating disruptions. Also, exploiting this flaw requires chaining multiple vulnerabilities, emphasizing the need to address all security weaknesses. Next, the UDP protocol’s lack of security checks makes it a prime target for exploitation.
Finally, he says applying the patch and implementing robust API security measures are essential to prevent this vulnerability from being weaponized.
Obsolete Software: A Major Security Risk
Many vulnerable CUPS servers were running outdated software, with some instances still operating on version 1.3, released in 2007. This raises a critical issue: unpatched legacy systems on the internet continue to serve as easy targets for malicious actors. While outdated CUPS versions can be exploited for DDoS amplification, they also pose a risk for botnet formation, potentially leading to more significant and more complex attacks in the future.
Mitigation Strategies for CUPS Vulnerabilities
Akamai said entities using CUPS should immediately consider updating to the latest version or removing CUPS entirely if printing services are unnecessary to avoid exposure. For those who need to maintain CUPS, firewall configurations should be updated to restrict access to relevant service ports, especially UDP port 631, to reduce exposure to the broader internet.
Several Linux distributions have also released mitigations by either binding CUPS to localhost or disabling specific components from listening altogether. However, the onus is on system administrators to ensure these steps are implemented to prevent exploitation.
Defensive Measures Against DDoS Attacks
Anyone falling victim to a DDoS attack launched through vulnerable CUPS servers can enhance network defenses by filtering traffic originating from CUPS devices. Attack traffic often begins with HTTP requests that start with POST /printers/ or POST /classes/, which makes it easier to identify and block such traffic at the web application firewall (WAF) level.
Also, CUPS user-agent strings containing the format CUPS/[VERSION] can help filter out attack traffic.
The Need for Proactive Defense
As new DDoS vectors rear their ugly heads, it becomes increasingly critical for businesses to defend against them proactively. The CUPS vulnerability highlights the danger of outdated technology on the internet—sitting ducks for attackers.
Organizations, network operators, and system administrators are encouraged to address these exposures quickly. Proactive measures are key to reducing the potential impact of CUPS-based DDoS attacks and preventing further exploitation by threat actors.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.