Researchers at Akamai recently unveiled a series of four vulnerabilities in the Common Unix Printing System (CUPS) that could lead to remote code execution (RCE) and potentially facilitate debilitating distributed denial of service (DDoS) attacks. Discovered by security researcher Simone Margaritelli, known as evilsocket, these vulnerabilities—CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177—impact over 76,000 devices, with the possibility of affecting many more.
CUPS allows a standard computer to function as a print server. The vulnerabilities can be exploited if a malicious actor adds a “ghost” printer with a harmful Internet Printing Protocol (IPP) URL to a susceptible device and initiates a print job. However, while analyzing Margaritelli’s findings, Akamai researchers Larry Cashdollar, Kyle Lefton, and Chad Seaman identified the potential for utilizing these vulnerabilities to execute DDoS attacks. Although these attacks may be less severe than RCE, they still pose considerable risks and can be easily exploited.
The researchers noted that launching a DDoS attack via CUPS requires minimal resources. An attacker could compromise exposed CUPS services in mere seconds, and leveraging modern hyperscaler platforms could make the attack incredibly cost-effective, potentially under a single US cent. An attacker only needs to send a single packet to a vulnerable CUPS service to initiate the attack.
“The issue arises when a crafted packet pointing to a target’s address is sent to be added as a printer,” they explained in a technical report detailing the DDoS threat. “For every packet sent, the vulnerable CUPS server generates a larger, partially attacker-controlled IPP/HTTP request aimed at the designated target. Consequently, both the target and the CUPS server host become victims, consuming network bandwidth and CPU resources.”
The researchers estimate that more than 198,000 devices connected to the internet may be vulnerable to this attack vector, with approximately 58,000 potentially being exploited for DDoS purposes. Many of these vulnerable devices are running outdated versions of CUPS, some dating back to version 1.3, released in 2007, creating ripe opportunities for attackers to amplify their DDoS efforts.
If all identified vulnerable hosts were targeted in a single campaign, the resultant malicious traffic could reach up to 6GB. Although this is not particularly large by contemporary DDoS standards, it could still pose significant challenges. Alarmingly, Akamai’s testing also revealed that some active CUPS servers continuously responded after receiving initial requests, with some exhibiting infinite responses to HTTP/404 errors. This indicates the potential for substantial amplification, causing further disruption.
“New DDoS attack vectors often emerge and are quickly exploited by opportunistic attackers with low skills. The CUPS vulnerabilities and the vast number of devices that can be targeted suggest it is likely that defenders will encounter attacks utilizing this exploit,” the researchers stated. “Until efforts to reduce the number of vulnerable and exposed devices on the internet gain momentum, we anticipate this attack vector will be exploited in the wild.”
Mayur Upadhyaya, CEO of APIContext, likened the CUPS vulnerability to finding a hidden amplifier within an otherwise ordinary speaker system. “A small action can turn a whisper into a deafening roar, overwhelming everything around it. Similarly, this flaw amplifies even minor signals, enabling attackers to unleash a torrent of traffic that overwhelms targeted systems.”