Hackers Exploit Linux Printing Flaw for Massive DDoS Attacks

Researchers discovered a new attack vector that exploits CUPS, a printing system. By sending a single packet to a vulnerable CUPS service, attackers can trigger a distributed denial-of-service (DDoS) attack. 

Over 198,000 devices with internet exposure are vulnerable, and 34% of these could be used for DDoS abuse. The attack requires minimal resources, making it easy for attackers to exploit vulnerable devices and launch large-scale DDoS attacks.

Security researchers discovered a critical vulnerability chain in the Common Unix Printing System (CUPS) on September 26, 2024. By exploiting four vulnerabilities, a remote attacker could manipulate Internet Printing Protocol (IPP) URLs to execute arbitrary commands on a vulnerable system. 

The chain begins with CVE-2024-47176, which coerces a request to an attacker-controlled address. CVE-2024-47076 and CVE-2024-47175 then allow the attacker to inject malicious data into the printing system without proper validation. Finally, CVE-2024-47177 enables the execution of arbitrary commands on the target system.

Network diagram of attack flow

The vulnerability in CUPS allows attackers to launch DDoS attacks by crafting malicious UDP packets that specify a target as a printer to be added. 

The vulnerable server then generates larger IPP/HTTP requests to the target, amplifying the attack and consuming network bandwidth and CPU resources on both the target and the server, that can be exacerbated by padding the URI payload, included twice in the IPP/HTTP request, further increasing the impact of the attack.

An attacker can exploit a vulnerability in CUPS with a single UDP packet, where the packet tricks the CUPS service into fetching a malicious file disguised as an IPP attribute file from a target IP specified by the attacker. 

It triggers the CUPS service to initiate TCP connections to the target IP, sending partially attacker-controlled data in the IPP/HTTP request. The cups-browsed daemon logs show these attempts to fetch IPP attributes from the target. 

CUPS service establishing a connection to the target

The Akamai discovered a significant vulnerability in CUPS servers that could lead to DDoS amplification and remote code execution. Approximately 34% of the 198,000+ CUPS servers on the public internet were found to be vulnerable.

The amplification factor for the attack can vary widely, with a worst-case scenario potentially generating 6 GB of traffic per attack packet, which could pose a significant threat to organizations running affected CUPS servers, as they could disrupt services and consume valuable resources.

Minimal viable amplification flow

A vulnerability in CUPS (Common Unix Printing System) allows attackers to turn vulnerable CUPS services into DDoS weapons. By sending a single malicious UDP packet, attackers can exploit CUPS to make outbound TCP connections to a target server, overwhelming it with requests, which affects systems running cups-browsed packaged with cup filters. 

Mitigations include updating to the latest CUPS version, removing CUPS entirely if printing is not needed, or firewalling service ports (UDP/631), while DDoS victims can identify attack traffic by looking for specific patterns in User-Agent strings, HTTP headers, and POST data.  

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here