Experts warn of DDoS attacks using linux printing vulnerability

A set of bugs that has caused alarm among cybersecurity experts may enable threat actors to launch powerful attacks designed to knock systems offline. 

Researchers at technology firm Akamai said on Tuesday that distributed denial-of-service (DDoS) attacks could be launched using four vulnerabilities affecting Common UNIX Printing System, also known as CUPS.

The vulnerabilities, which allow attackers to run malicious code on a remote device, were discovered by Italian security researcher Simone Margaritelli and disclosed last week. CUPS allows printing on many Linux-based systems and the four bugs help attackers to potentially change that service and trick users into running malicious code.

CUPS comes with all Linux operating systems, most BSD systems and some Apple and Android-based computers, according to OpenSSF Technical Advisory Council chair Christopher Robinson. The four vulnerabilities are CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177.

Larry Cashdollar, principal security researcher at Akamai, said he was going through Margaritelli’s technical write-up about the four CUPS vulnerabilities when he discovered another attack vector was not discussed: DDoS.

“DDoS continues to be a viable attack vector used to harass and disrupt victims across the internet, from major industries and governments to small content creators, online shops, and gamers,” he said.

“The problem arises when an attacker sends a crafted packet specifying the address of a target as a printer to be added. For each packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target. As a result, not only is the target affected, but the host of the CUPS server also becomes a victim, as the attack consumes its network bandwidth and CPU resources.”

Akamai’s Security Intelligence and Response Team (SIRT) said they found that more than 198,000 devices are vulnerable to this attack vector and are accessible on the public internet. About 34% — more than 58,000 — could be used for DDoS abuse.

There was significant controversy about the disclosure of the bugs, with Margaritelli writing on social media site X that the team behind CUPS was using its “energies to explain to the poor bastard that reported them how wrong he is, even tho he’s literally giving you [Proof of Concept] after [Proof of Concept] and systematically proving your assumptions about your own software wrong at every comment.” 

“This is just insane,” he added.

CUPS dating back to 2007

The initial concerns about the CUPS vulnerabilities were tempered when experts noted that remediation was fairly simple and exploitation is only available in a limited number of scenarios. Experts said people should simply update, remove or disable CUPS to protect themselves. 

Benjamin Harris, CEO of cybersecurity firm watchTowr, said CUPS itself is the software that handles printing on a Linux machine, and thus, by virtue of Linux not being a 'desktop' operating system in many environments in the same way that you'd see Windows, the impact and scope of the bugs is reduced.

“That being said, if you are using a desktop edition of Linux (say Ubuntu Desktop and for example, developers) – there is a good chance you have CUPS installed, but whether it is turned on in a vulnerable state is harder to predict,” Harris explained.

He added that the vulnerabilities impact less than a single-digit percentage of all deployed internet-facing Linux systems.

But Cashdollar said the limited resources required to initiate a successful attack highlights the danger.

“It would take an attacker mere seconds to co-opt every vulnerable CUPS service currently exposed on the internet,” he wrote. 

To begin the attack, Akamai claimed a threat actor would only have to send one packet to a vulnerable and exposed CUPS service with internet connectivity. A packet is a small segment of a larger message and data sent over computer networks is divided into packets.

“For each packet sent by a bad actor, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target,” Akamai said. 

“As a result, not only is the target affected, but the host of the CUPS server also becomes a victim, as the attack consumes its network bandwidth and CPU resources.” 

The researchers noted that many of the identified machines are running older versions of CUPS dating back to 2007, giving threat actors prime real estate to exploit the bugs. 

Risky Biz reported this week that threat actors are scanning the internet for UNIX systems that are exposing their printing ports in an effort to abuse the CUPS bugs.  

Several experts, including OpenSSF’s Robinson, said the situation highlighted the need for organizations to have a better understanding of what services are running on their systems.

If something isn't being actively used, it should be shut off, he said.