It seems that distant code execution will not be the one manner attackers can leverage a important set of 4 vulnerabilities {that a} researcher lately disclosed within the Widespread Unix Printing System (CUPS) for managing printers and print jobs.
The vulnerabilities apparently additionally allow adversaries to stage substantial distributed denial-of-service (DDoS) assaults in mere seconds and at a value of much less of than 1 cent, utilizing any trendy cloud platform.
Giant Variety of Potential DDoS Assault Programs
Some 58,000 Web-exposed gadgets are presently weak to the assault and will be comparatively simply co-opted into launching an limitless stream of tried connections and requests at goal programs. An attacker that corralled all 58,000 weak hosts may ship a small request to every weak CUPS host and get them to direct between 1GB and 6GB of ineffective knowledge at a goal system.
“Though these bandwidth numbers is probably not thought-about earth-shattering, they’d nonetheless consequence within the goal’s have to deal with roughly 2.6 million TCP connections and HTTP requests in both state of affairs,” researchers at Akamai mentioned this week after discovering the brand new assault vector.
CUPS is an Web Printing Protocol (IPP)-based open supply printing system for Unix-like working programs, together with Linux and macOS. It supplies a typical manner for computer systems to handle printers and print jobs.
Unbiased safety researcher Simone Margaritelli final week disclosed a critical flaw in CUPS that might enable an attacker to remotely execute malicious instructions by manipulating URLs utilizing a mixture of 4 completely different vulnerabilities. The vulnerabilities are CVE-2024-47176 in “cups-browsed,” a element for simplifying printer discovery and administration in a community; CVE-2024-47076 in the “libcupsfilters” software program library; CVE-2024-47175 in the “libppd” library; and CVE-2024-47177 in the “cups-filters” bundle.
Margaritelli described the vulnerabilities as affecting most GNU/Linux distributions, some BSDs, Oracle Solaris, doubtlessly Google Chrome OS and Chromium, and different working programs. “The brief model of this exploit is that sure configurations of cups-browsed in addition to related CUPS libraries every have vulnerabilities that, put collectively, enable an attacker to execute arbitrary instructions towards a goal system” and doubtlessly acquire management of it, open supply and software program invoice of supplies administration vendor Fossa mentioned in an evaluation.
All It Takes is a Single Packet
Margaritelli’s analysis centered on how attackers may leverage the vulnerabilities to take management of CUPS hosts. What Akamai found is {that a} risk actor may additionally use them for DDoS assaults. “The issue arises when an attacker sends a crafted packet specifying the deal with of a goal as a printer to be added,” Akamai mentioned. “For every packet despatched, the weak CUPS server will generate a bigger and partially attacker-controlled IPP/HTTP request directed on the specified goal.” Akamai discovered that each one it takes for somebody to launch an assault is to ship a single maliciously crafted packet to a weak CUPS service with Web connectivity.
Kyle Lefton, safety researcher at Akamai, says that whereas the beforehand reported RCE exploit is extra harmful, the DDoS vulnerability is way simpler for a risk actor to use. “It’s doubtless that organizations could begin seeing assaults leveraging this vulnerability, which causes points for not simply the targets of those DDoS assaults, however these operating the weak CUPS servers as properly,” he says. “The important thing takeaway right here is to emphasize the significance of patching outdated CUPS programs, or making use of different mitigation methods, resembling eradicating CUPS if deemed pointless, or making use of firewall guidelines for UDP port 631 and retaining them from accessing the general public Web.”
Akamai researchers found a complete of 198,000 weak CUPS hosts which are Web accessible. Of these, 34%, or greater than 58,000, are weak to corralling for DDoS assaults. Akamai discovered {that a} risk actor may get these programs to start out spewing out assault visitors through the use of a easy script to ship a single malicious UDP packet to a weak CUPS host. They discovered they might considerably amplify assault visitors volumes by padding — or including additional and infrequently irrelevant characters or knowledge — to the URL payload.
Larry Cashdollar, principal safety researcher at Akamai, says the vulnerability of a CUPS host to the DDoS assault actually relies on its configuration. “It is doable that community directors may need further firewalls in place to dam outbound visitors from the printers or that system directors have finished their hardening of the printer servers,” on the opposite weak hosts, Cashdollar says.
Pressure on Server {Hardware}
Troublingly, though organizations operating weak CUPS programs is probably not the goal of DDoS assaults, the assaults themselves can put pressure on the server {hardware}, Lefton provides. “We confirmed that a few of these CUPS programs full TLS handshakes to HTTPS protected web sites, which creates additional pressure on server {hardware} and useful resource consumption overhead as a result of handshake and encryption/decryption processing.”
DDoS assaults, although properly understood, proceed to current a problem for a lot of organizations. Although many corporations have carried out strong measures for defending towards DDoS assaults and mitigating fallout, the variety of these assaults have solely elevated. Latest numbers from Cloudflare confirmed a 20% year-over-year improve in DDoS assaults; the corporate mentioned it mitigated 8.5 million DDoS assaults simply within the first six months of this 12 months. Cloudflare attributed the pattern at the very least partly to extra risk actors getting access to capabilities that when had been out there solely to nation-state actors, due to the rise in generative AI (GenAI) instruments and autopilot programs for writing assault code higher and sooner.
