Unix Printing Vulnerabilities Enable Easy DDoS Attacks

  /     /     /  
Publicated : 23/11/2024   Category : security


Unix Printing Vulnerabilities Enable Easy DDoS Attacks


All an attacker needs to exploit flaws in the Common Unix Printing System is a few seconds and less than 1 cent in computing costs.



It turns out that remote code execution is not the only way attackers can leverage a critical set of four vulnerabilities that a researcher recently disclosed in the Common Unix Printing System (CUPS) for managing printers and print jobs.
The vulnerabilities apparently also enable adversaries to stage substantial distributed denial-of-service (DDoS) attacks in mere seconds and at a cost of less of than 1 cent, using any modern cloud platform.
Some 58,000 Internet-exposed devices are currently vulnerable to the attack and can be relatively easily co-opted into launching an endless stream of attempted connections and requests at target systems. An attacker that corralled all 58,000 vulnerable hosts could send a small request to each vulnerable CUPS host and get them to direct between 1GB and 6GB of useless data at a target system.
Although these bandwidth numbers may not be considered earth-shattering, they would still result in the targets need to handle roughly 2.6 million TCP connections and HTTP requests in either scenario, researchers at Akamai said this week after discovering the new attack vector.
CUPS
is an Internet Printing Protocol (IPP)-based open source printing system for Unix-like operating systems, including Linux and macOS. It provides a standard way for computers to manage printers and print jobs.
Independent security researcher Simone Margaritelli
last week disclosed a serious flaw in CUPS that could allow an attacker to remotely execute malicious commands by manipulating URLs using a combination of four different vulnerabilities. The vulnerabilities are CVE-2024-47176 in cups-browsed, a component for simplifying printer discovery and management in a network; CVE-2024-47076 in the libcupsfilters software library; CVE-2024-47175 in the libppd library; and CVE-2024-47177 in the cups-filters package.
Margaritelli described the vulnerabilities as affecting most GNU/Linux distributions, some BSDs, Oracle Solaris, potentially Google Chrome OS and Chromium, and other operating systems. The short version of this exploit is that certain configurations of cups-browsed as well as associated CUPS libraries each have vulnerabilities that, put together, allow an attacker to execute arbitrary commands against a target system and potentially gain control of it, open source and
software bill of materials management vendor Fossa
said in an analysis.
Margaritellis research focused on how attackers could leverage the vulnerabilities to take control of CUPS hosts. What Akamai discovered is that a threat actor could also use them for DDoS attacks. The problem arises when an attacker sends a crafted packet specifying the address of a target as a printer to be added, Akamai said. For each packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target. Akamai found that all it takes for someone to launch an attack is to send a single maliciously crafted packet to a vulnerable CUPS service with Internet connectivity.
Kyle Lefton, security researcher at Akamai, says that while the previously reported RCE exploit is more dangerous, the DDoS vulnerability is much easier for a threat actor to exploit. It is likely that organizations may start seeing attacks leveraging this vulnerability, which causes issues for not just the targets of these DDoS attacks, but those running the vulnerable CUPS servers as well, he says. The key takeaway here is to stress the importance of patching outdated CUPS systems, or applying other mitigation techniques, such as removing CUPS if deemed unnecessary, or applying firewall rules for UDP port 631 and keeping them from accessing the public Internet.
Akamai researchers discovered a total of 198,000 vulnerable CUPS hosts that are Internet accessible. Of those, 34%, or more than 58,000, are vulnerable to corralling for DDoS attacks. Akamai found that a threat actor could get these systems to start spewing out attack traffic by using a simple script to send a single malicious UDP packet to a vulnerable CUPS host. They found they could substantially amplify attack traffic volumes by padding — or adding extra and often irrelevant characters or data — to the URL payload.
Larry Cashdollar, principal security researcher at Akamai, says the vulnerability of a CUPS host to the DDoS attack really depends on its configuration. Its possible that network administrators might have additional firewalls in place to block outbound traffic from the printers or that system administrators have done their hardening of the printer servers, on the other vulnerable hosts, Cashdollar says.
Troublingly, although organizations running vulnerable CUPS systems may not be the target of DDoS attacks, the attacks themselves can put strain on the server hardware, Lefton adds. We confirmed that some of these CUPS systems complete TLS handshakes to HTTPS protected websites, which creates further strain on server hardware and resource consumption overhead due to the handshake and encryption/decryption processing.
DDoS attacks, though well understood, continue to
present a challenge
for many organizations. Though many companies have implemented robust measures for
protecting against DDoS attacks
and mitigating fallout, the number of these attacks have only increased.
Recent numbers from Cloudflare
showed a 20% year-over-year increase in DDoS attacks; the company said it mitigated 8.5 million DDoS attacks just in the first six months of this year. Cloudflare attributed the trend at least partly to more threat actors gaining access to capabilities that once were available only to nation-state actors, thanks to the rise in generative AI (GenAI) tools and autopilot systems for writing attack code better and faster.

Last News

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Unix Printing Vulnerabilities Enable Easy DDoS Attacks