A few days after a researcher warned that the Common UNIX Printing System (CUPS) could be abused for unauthenticated remote code execution, cybersecurity firm Akamai determined that CUPS could also be abused for significant DDoS attacks.
CUPS is a popular open source printing system that is based on the Internet Printing Protocol (IPP) and designed mainly for Linux and UNIX-like operating systems.
Researcher Simone Margaritelli last week disclosed several unpatched CUPS vulnerabilities that can be chained to achieve remote code execution, which, according to Red Hat, could lead to sensitive data theft or damage to critical systems.
Akamai researchers have analyzed Margaritelli’s report and discovered a new attack vector involving CUPS, one that could be leveraged for DDoS attacks.
Specifically, an attacker can send a specially crafted UDP packet to a vulnerable instance of CUPS, instructing it to add a printer. The ‘printer’ specified by the attacker is actually the address of the target and CUPS will send it an IPP/HTTP request.
“For each packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target. As a result, not only is the target affected, but the host of the CUPS server also becomes a victim, as the attack consumes its network bandwidth and CPU resources,” Akamai explained.
In addition, the attacker can use padding to make these requests even larger and further amplify the attack.
Akamai’s analysis showed more than 58,000 internet-exposed CUPS servers that can be abused for such DDoS attacks.
“If we assume all 58,000+ identified CUPS hosts were corralled into the same campaign, it could result in a deluge of 1 GB of incoming attack traffic per UDP packet from the minimally padded example. A maximally padded scenario could result in a 6-GB flood of traffic,” Akamai said. “Although these bandwidth numbers may not be considered earth-shattering, they would still result in the target’s need to handle roughly 2.6 million TCP connections and HTTP requests in either scenario.”
The company warned that it would be easy and inexpensive for a threat actor to launch such an attack, requiring only seconds to ensnare all vulnerable CUPS hosts.
As for the RCE vulnerabilities, some members of the cybersecurity industry noted following their disclosure that they do not appear as critical as Margaritelli initially suggested, particularly since some user interaction seemed to be necessary to trigger the exploit. However, the researcher later indicated that the exploit could be adapted to turn it into a zero-click attack.
Official patches have yet to be released, but some Linux distributions have made available fixes for their users.
Censys has conducted a scan and found thousands of vulnerable CUPS instances exposed to the internet.
Scanning activity targeting the port associated with CUPS has increased since the disclosure of the vulnerabilities.
Related: Microsoft Says Azure Outage Caused by DDoS Attack Response
Related: Law Enforcement Disrupts DDoS-for-Hire Service DigitalStress