A newly disclosed vulnerability in the open-source Common Unix Printing System (CUPS) can be exploited by malicious actors to initiate distributed denial-of-service (DDoS) attacks with a significant 600x amplification factor.
According to Akamai security researchers, the CVE-2024-47176 flaw in the cups-browsed daemon can be chained with three other vulnerabilities to enable remote code execution on Unix-like systems via a single UDP packet. This flaw can also be exploited to amplify DDoS attacks.
The vulnerability is activated when attackers send specially crafted packets, tricking a CUPS server into registering the target as a new printer. Each packet prompts the vulnerable CUPS servers to generate larger IPP/HTTP requests aimed at the target, consuming bandwidth and CPU resources on both the target and the CUPS server.
Starts with a single malicious UDP packet
To launch this type of attack, a malicious actor needs only to send a single packet to an exposed, vulnerable CUPS service online. Akamai researchers estimate that approximately 58,000 servers, out of over 198,000 exposed devices, could be harnessed for DDoS attacks.
Additionally, hundreds of vulnerable devices exhibited an “infinite loop” of requests, with some CUPS servers continuously sending requests after receiving an initial probe, and others entering endless loops in response to specific HTTP/404 errors.
Many of these vulnerable systems were running outdated versions of CUPS, some dating back to 2007, making them easy targets for cybercriminals. These older versions can be exploited to build botnets using the RCE chain or employed for DDoS amplification.
“In the worst-case scenario, we observed what seemed to be an endless stream of connection attempts and requests triggered by a single probe. These flows appear never-ending and will continue until the daemon is terminated or restarted,” Akamai researchers reported.
“Many of the systems observed during testing generated thousands of requests, which were directed toward our testing infrastructure. In some cases, this activity seemed to persist indefinitely.”
Seconds needed to pull off an attack
This DDoS amplification attack is easy to execute, requiring minimal resources and little time. Akamai cautions that a threat actor could potentially compromise every exposed CUPS service on the internet within seconds.
Administrators are urged to apply the CVE-2024-47176 patches or disable the cups-browsed service to prevent their servers from being exploited in botnets or DDoS attacks.
“DDoS remains a highly effective attack vector, used to disrupt victims ranging from major industries and governments to small content creators, online shops, and gamers,” Akamai researchers warned.
“While the original analysis centered on the RCE, which poses a more critical risk, DDoS amplification is also a significant threat in this case.”
As Cloudflare revealed this week, its DDoS defense systems protected customers from a wave of hyper-volumetric L3/4 DDoS attacks that peaked at 3.8 terabits per second (Tbps), marking the largest attack ever recorded.
Source: BleepingComputer, Sergiu Gatlan