October 3, 2024 at 06:36PM
A vulnerability in the Common Unix Printing System allows threat actors to initiate DDoS attacks with a 600x amplification factor. This exploit, triggered by a single UDP packet, can quickly recruit vulnerable servers for attacks and cause an “infinite loop” of requests, especially on outdated CUPS versions. Akamai and Cloudflare advise deploying patches or disabling the cups-browsed service to mitigate the risk.
The meeting notes outline a serious vulnerability in the Common Unix Printing System (CUPS) open-source printing system that poses a significant risk of exploitation by threat actors. The vulnerability could be exploited to launch distributed denial-of-service (DDoS) attacks with a 600x amplification factor. The vulnerability is connected to a security flaw in the cups-browsed daemon that can be chained with three other bugs to gain remote code execution on Unix-like systems through a single UDP packet, which can further be leveraged to amplify DDoS attacks.
The attack is initiated by sending a specially crafted packet to a vulnerable CUPS server, tricking it into treating a target as a printer to be added. Vulnerable CUPS servers generate larger IPP/HTTP requests aimed at the targeted device in response to each packet, consuming their bandwidth and CPU resources. Malicious actors can initiate this attack by just sending a single packet to an exposed and vulnerable CUPS service online.
It’s estimated that around 58,000 servers out of over 198,000 exposed devices could be recruited for DDoS attacks. Moreover, numerous vulnerable devices demonstrated an “infinite loop” of requests, with some CUPS servers repeatedly sending requests after receiving an initial probe and some servers entering an endless loop in response to specific HTTP/404 errors.
The attack also requires minimal resources and little time to execute, as highlighted by Akamai’s warning that a threat actor could easily take control of every exposed CUPS service on the internet in seconds. To mitigate this risk, it’s advised to deploy CVE-2024-47176 patches or disable the cups-browsed service from running.
It’s important to note that DDoS continues to be a viable attack vector used to harass and disrupt victims across the internet, and it’s crucial for administrators to take immediate action to prevent their servers from being added to a botnet or used in DDoS attacks.