Heimdal
article featured image

Contents:

A newly discovered vulnerability in the open-source CUPS (Common Unix Printing System) printing system can be used by threat actors to launch DDoS attacks with a 600x amplification factor.

Known as CVE-2024-47176, the security flaw in the cups-browsed daemon can be chained to three other bugs to allow threat actors to gain remote code execution rights on Unix-like systems via a single UDP packet.

The vulnerability can be triggered when an attacker sends a specially crafted packet, tricking the CUPS server into treating a target as a printer to be added.

Sending a packet to a susceptible CUPS server causes it to send a bigger IPP/HTTP request to the intended device. This uses up the bandwidth and CPU resources of the CUPS server as well as the target.

How the Attack Works?

A threat actor just has to send one packet to a vulnerable and exposed CUPS service that is accessible online to start such an attack.

Out of the more than 198,000 devices that are exposed, Akamai experts believe that about 58,000 servers might be used in DDoS attacks.

Additionally, an “infinite loop” of queries was displayed by hundreds of susceptible devices; certain CUPS servers would send requests again after receiving an initial probe, and other servers would start an unending loop in response to particular HTTP/404 errors.

Many of these susceptible workstations were running obsolete versions of CUPS (reaching as far back as 2007), which are easy targets for cybercriminals who can exploit them to establish botnets via the RCE chain or use them for DDoS amplification.

The researchers addressed that in the worst-case scenario, they observed that a single probe could generate an endless stream of attempted connections and requests. The flows appear to have no end and will continue until the daemon is killed or restarted.

It takes very little time and resources to carry out this DDoS amplification assault. According to Akamai, a threat actor may quickly and easily take over all publicly accessible CUPS services on the internet.

Administrators can lessen the likelihood that their systems will be added to a botnet or used in DDoS attacks by patching the vulnerability as soon as possible or turning off the cups-browsed service.

patch and asset management solution

If you liked this piece, you can find more on the blog. Follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE