A sequence of 4 vulnerabilities within the Widespread Unix Printing System, or Cups, resulting in distant code execution (RCE) seem to comprise a nasty sting of their tail, in response to researchers at Akamai, who earlier this week revealed proof that they may additionally allow a crippling distributed denial of service (DDoS) assault.
CVE-2024-47176, CVE-2024-47076, CVE-2024-47175 and CVE-2024-47177 collectively have an effect on greater than 76,000 units and presumably many extra. They have been found and disclosed on the finish of September by researcher Simone Margaritelli, aka evilsocket.
They permit Cups, which exists to permit an peculiar pc to behave as a print server, to be exploited as a vector for RCE if an attacker can efficiently add a “ghost” printer with a malicious Web Printing Protocol (IPP) URL to a weak machine and begin a print job on it.
However in response to Akamai researchers Larry Cashdollar, Kyle Lefton and Chad Seaman, when reviewing Margaritelli’s disclosure, they noticed the potential of Cups being exploited to launch DDoS assaults which, though much less extreme than RCE, nonetheless trigger important disruption and are simply abused for malicious ends.
The trio of researchers declare that of specific concern on this occasion is that it will take restricted assets to launch a DDoS assault by way of Cups – the duty of co-opting each weak uncovered Cups service may take mere seconds, and if a risk actor has entry to a contemporary hyperscaler platform, may price lower than a single US cent. Furthermore, to start the assault, the attacking system solely must ship a single packet to a weak Cups service.
“The issue arises when an attacker sends a crafted packet specifying the deal with of a goal as a printer to be added,” they wrote in a technical write-up explaining the DDoS threat.
“For every packet despatched, the weak Cups server will generate a bigger and partially attacker-controlled IPP/HTTP request directed on the specified goal. Because of this, not solely is the goal affected, however the host of the Cups server additionally turns into a sufferer, because the assault consumes its community bandwidth and CPU assets.”
They consider there may very well be greater than 198,000 units within the wild which are accessible on the web and weak to this assault vector, and about 58,000 of these could possibly be used for DDoS assaults.
They added that given many of those units are operating older variations of Cups – some courting all the best way again to model 1.3, which dropped in 2007 – risk actors have a golden alternative to reap the benefits of outdated {hardware} to amplify their DDoS assaults.
Assuming all 58,000 plus of the recognized hosts have been utilized in the identical marketing campaign, they may trigger a flood of as much as 6GB of malicious visitors, which isn’t by any means a very massive DDoS assault by trendy requirements, however may nonetheless be problematic.
Maybe extra concerningly, the Akamai workforce’s testing additionally discovered that among the energetic Cups servers beaconed again repeatedly after receiving the preliminary request, and a few appeared to take action infinitely after receiving HTTP/404 responses. They mentioned this demonstrated that the potential amplification from the difficulty was pretty massive and able to inflicting important points.
“New DDoS assault vectors are generally discovered, and infrequently rapidly abused, by low-skilled opportunistic attackers. This vulnerability in CUPS and the big inhabitants of units that could possibly be abused on this method lead us to consider that it’s seemingly that defenders could encounter CUPS-based assaults,” they mentioned.
“Till messaging and cleanup efforts get traction to scale back the variety of units which are weak and uncovered on the web, we suspect this vector will see abuse within the wild.”
APIContext CEO Mayur Upadhyaya, commented: “The CUPS vulnerability is akin to discovering a hidden amplifier in a seemingly peculiar speaker system. A tiny faucet can flip a whisper right into a deafening roar, overwhelming the environment. Equally, this flaw magnifies even small alerts, permitting attackers to unleash a torrent of visitors, drowning focused techniques.”
