Cups Linux printing bugs open door to DDoS attacks, says Akamai

A group of four vulnerabilities in the Common Unix Printing System (CUPS) has been discovered, with researchers at Akamai revealing that these vulnerabilities could not only lead to remote code execution (RCE) but also be exploited for distributed denial of service (DDoS) attacks.

These vulnerabilities, namely CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, impact over 76,000 devices and potentially many more. They were brought to light by researcher Simone Margaritelli, also known as evilsocket, at the end of September.

The vulnerabilities allow attackers to exploit CUPS, which is designed to enable a regular computer to function as a print server, by adding a “ghost” printer with a malicious Internet Printing Protocol (IPP) URL to a vulnerable machine and initiating a print job.

However, Akamai researchers Larry Cashdollar, Kyle Lefton, and Chad Seaman discovered that these vulnerabilities could also be leveraged for launching DDoS attacks, causing significant disruption and being easily misused for malicious purposes.

The researchers expressed particular concern over the ease with which DDoS attacks could be carried out using CUPS. Exploiting every vulnerable exposed CUPS service could take mere seconds, with the cost of launching an attack being less than a single US cent if the attacker has access to a modern hyperscaler platform. Additionally, initiating the attack only requires sending a single packet to a vulnerable CUPS service.

According to the researchers, there may be more than 198,000 accessible devices on the internet that are susceptible to this attack vector, with around 58,000 of them potentially being used for DDoS attacks. Many of these devices are running outdated versions of CUPS, dating back to version 1.3 from 2007, providing threat actors with an opportunity to exploit obsolete hardware to amplify their attacks.

If all identified hosts were utilized in a single campaign, they could generate up to 6GB of malicious traffic, which, while not substantial by current standards, could still pose a problem. The Akamai team’s testing also revealed that some active CUPS servers continued to transmit data repeatedly after receiving the initial request, further illustrating the potential impact of the vulnerabilities.

APIContext CEO Mayur Upadhyaya compared the CUPS vulnerability to discovering a hidden amplifier in a speaker system, capable of turning a whisper into a deafening roar. This flaw allows attackers to magnify even minor signals, unleashing a flood of traffic that can overwhelm targeted systems.