Cups Linux printing bugs open door to DDoS attacks, says Akamai

A series of four vulnerabilities in the Common Unix Printing System, or Cups, leading to remote code execution (RCE) appear to contain a nasty sting in their tail, according to researchers at Akamai, who earlier this week published evidence that they could also enable a crippling distributed denial of service (DDoS) attack.

CVE-2024-47176, CVE-2024-47076, CVE-2024-47175 and CVE-2024-47177 collectively affect more than 76,000 devices and possibly many more. They were discovered and disclosed at the end of September by researcher Simone Margaritelli, aka evilsocket.

They enable Cups, which exists to allow an ordinary computer to act as a print server, to be exploited as a vector for RCE if an attacker can successfully add a “ghost” printer with a malicious Internet Printing Protocol (IPP) URL to a vulnerable machine and start a print job on it.

But according to Akamai researchers Larry Cashdollar, Kyle Lefton and Chad Seaman, when reviewing Margaritelli’s disclosure, they spotted the possibility of Cups being exploited to launch DDoS attacks which, although less severe than RCE, still cause significant disruption and are easily abused for malicious ends.

The trio of researchers claim that of particular concern in this instance is that it would take limited resources to launch a DDoS attack via Cups – the task of co-opting every vulnerable exposed Cups service could take mere seconds, and if a threat actor has access to a modern hyperscaler platform, could cost less than a single US cent. Moreover, to begin the attack, the attacking system only needs to send a single packet to a vulnerable Cups service.

“The problem arises when an attacker sends a crafted packet specifying the address of a target as a printer to be added,” they wrote in a technical write-up explaining the DDoS risk.

“For each packet sent, the vulnerable Cups server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target. As a result, not only is the target affected, but the host of the Cups server also becomes a victim, as the attack consumes its network bandwidth and CPU resources.”

They believe there may actually be more than 198,000 devices in the wild that are accessible on the internet and vulnerable to this attack vector, and about 58,000 of those could be used for DDoS attacks.

They added that given many of these devices are running older versions of Cups – some dating all the way back to version 1.3, which dropped in 2007 – threat actors have a golden opportunity to take advantage of outdated hardware to amplify their DDoS attacks.

Assuming all 58,000 plus of the identified hosts were used in the same campaign, they could cause a flood of up to 6GB of malicious traffic, which is not by any means a particularly large DDoS attack by modern standards, but could still be problematic.

Perhaps more concerningly, the Akamai team’s testing also found that some of the active Cups servers beaconed back repeatedly after receiving the initial request, and some appeared to do so infinitely after receiving HTTP/404 responses. They said this demonstrated that the potential amplification from the issue was fairly large and capable of causing significant issues.

“New DDoS attack vectors are sometimes found, and often quickly abused, by low-skilled opportunistic attackers. This vulnerability in CUPS and the large population of devices that could be abused in this manner lead us to believe that it’s likely that defenders may encounter CUPS-based attacks,” they said.

“Until messaging and cleanup efforts get traction to reduce the number of devices that are vulnerable and exposed on the internet, we suspect this vector will see abuse in the wild.”

APIContext CEO Mayur Upadhyaya, commented: “The CUPS vulnerability is akin to discovering a hidden amplifier in a seemingly ordinary speaker system. A tiny tap can turn a whisper into a deafening roar, overwhelming the surroundings. Similarly, this flaw magnifies even small signals, allowing attackers to unleash a torrent of traffic, drowning targeted systems.”