Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

After Code Execution, Researchers Show How CUPS Can Be Abused for DDoS Attacks

Over 58,000 internet-exposed CUPS hosts can be abused for significant DDoS attacks, according to Akamai. 

A few days after a researcher warned that the Common UNIX Printing System (CUPS) could be abused for unauthenticated remote code execution, cybersecurity firm Akamai determined that CUPS could also be abused for significant DDoS attacks.

CUPS is a popular open source printing system that is based on the Internet Printing Protocol (IPP) and designed mainly for Linux and UNIX-like operating systems. 

Researcher Simone Margaritelli last week disclosed several unpatched CUPS vulnerabilities that can be chained to achieve remote code execution, which, according to Red Hat, could lead to sensitive data theft or damage to critical systems.

Akamai researchers have analyzed Margaritelli’s report and discovered a new attack vector involving CUPS, one that could be leveraged for DDoS attacks.

Specifically, an attacker can send a specially crafted UDP packet to a vulnerable instance of CUPS, instructing it to add a printer. The ‘printer’ specified by the attacker is actually the address of the target and CUPS will send it an IPP/HTTP request.

“For each packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target. As a result, not only is the target affected, but the host of the CUPS server also becomes a victim, as the attack consumes its network bandwidth and CPU resources,” Akamai explained. 

In addition, the attacker can use padding to make these requests even larger and further amplify the attack. 

Akamai’s analysis showed more than 58,000 internet-exposed CUPS servers that can be abused for such DDoS attacks. 

Advertisement. Scroll to continue reading.

“If we assume all 58,000+ identified CUPS hosts were corralled into the same campaign, it could result in a deluge of 1 GB of incoming attack traffic per UDP packet from the minimally padded example. A maximally padded scenario could result in a 6-GB flood of traffic,” Akamai said. “Although these bandwidth numbers may not be considered earth-shattering, they would still result in the target’s need to handle roughly 2.6 million TCP connections and HTTP requests in either scenario.”

The company warned that it would be easy and inexpensive for a threat actor to launch such an attack, requiring only seconds to ensnare all vulnerable CUPS hosts.

As for the RCE vulnerabilities, some members of the cybersecurity industry noted following their disclosure that they do not appear as critical as Margaritelli initially suggested, particularly since some user interaction seemed to be necessary to trigger the exploit. However, the researcher later indicated that the exploit could be adapted to turn it into a zero-click attack. 

Official patches have yet to be released, but some Linux distributions have made available fixes for their users. 

Censys has conducted a scan and found thousands of vulnerable CUPS instances exposed to the internet. 

Scanning activity targeting the port associated with CUPS has increased since the disclosure of the vulnerabilities.

Related: Microsoft Says Azure Outage Caused by DDoS Attack Response

Related: Law Enforcement Disrupts DDoS-for-Hire Service DigitalStress

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.