A not too long ago disclosed vulnerability within the Widespread Unix Printing System (CUPS) open-source printing system might be exploited by menace actors to launch distributed denial-of-service (DDoS) assaults with a 600x amplification issue.
As Akamai safety researchers discovered, a CVE-2024-47176 safety flaw within the cups-browsed daemon that may be chained with three different bugs to achieve distant code execution on Unix-like techniques by way of a single UDP packet will also be leveraged to amplify DDoS assaults.
The vulnerability is triggered when an attacker sends a specifically crafted packet, tricking a CUPS server into treating a goal as a printer to be added.
Every packet despatched to weak CUPS servers prompts them to generate bigger IPP/HTTP requests geared toward the focused machine. This impacts each the goal and the CUPS server, consuming their bandwidth and CPU assets.
Begins with a single malicious UDP packet
To provoke such an assault, a malicious actor solely must ship a single packet to an uncovered and weak CUPS service uncovered on-line. Akamai researchers estimate that round 58,000 servers, out of over 198,000 uncovered gadgets, could possibly be recruited for DDoS assaults.
Moreover, a whole lot of weak gadgets demonstrated an “infinite loop” of requests, with some CUPS servers repeatedly sending requests after receiving an preliminary probe and a few servers coming into an limitless loop in response to particular HTTP/404 errors.
Many of those weak machines have been working outdated variations of CUPS (going way back to 2007), that are simple targets for cybercriminals who can exploit them to construct botnets by way of the RCE chain or use them for DDoS amplification.
“In the worst-case scenario, we observed what appeared to be an endless stream of attempted connections and requests as a result of a single probe. These flows appear to have no end, and will continue until the daemon is killed or restarted,” the Akamai researchers mentioned.
“Many of these systems we observed in testing established thousands of requests, sending them to our testing infrastructure. In some cases, this behavior appeared to continue indefinitely.”
Seconds wanted to tug off an assault
This DDoS amplification assault additionally requires minimal assets and little time to execute. Akamai warns {that a} menace actor may simply take management of each uncovered CUPS service on the web in seconds.
Admins are suggested to deploy CVE-2024-47176 patches or disable the cups-browsed service from working to dam potential assaults to mitigate the danger of getting their servers added to a botnet or utilized in DDoS assaults.
“DDoS continues to be a viable attack vector used to harass and disrupt victims across the internet, from major industries and governments to small content creators, online shops, and gamers,” Akamai’s researchers warned.
“Although the original analysis focused on the RCE, which could have a more severe outcome, DDoS amplification is also easily abused in this case.”
As Cloudflare revealed this week, its DDoS protection techniques needed to shield prospects towards a wave of hyper-volumetric L3/4 DDoS assaults reaching 3.8 terabits per second (Tbps), the biggest such assault ever recorded.
