DDoS attacks can be amplified by a vulnerability in CUPS.

A security vulnerability has recently been discovered in the Common UNIX Printing System (CUPS) printing system that could be even more serious than initially thought, as it has been alleged that it could be used to amplify distributed denial-of-service (DDoS) attacks. Researchers from Akamai have indicated that these attacks can have an amplification factor of up to 600 times, which represents a considerable concern for victims.

CUPS is an open-source printing system developed by Apple for Unix-like operating systems such as Linux and macOS. Its main function is to manage print jobs and queues, supporting both local and network printers. It uses the Internet Printing Protocol (IPP) as its primary protocol, facilitating printer discovery and job submission across networks. Additionally, it includes a web interface for managing printers, print jobs, and configurations.

Recently, four vulnerabilities in CUPS were identified: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177. When combined, these vulnerabilities allow attackers to create fake, malicious printers that CUPS can detect. To carry out the attack, they only need to send a specially crafted packet to trick the CUPS server. The moment a user attempts to print something using this malicious device, a harmful command executes locally on their machine.

Akamai experts report that each packet sent to vulnerable CUPS servers causes them to generate larger IPP/HTTP requests directed at the target device. This results in high consumption of both CPU resources and bandwidth, following the typical pattern of a DDoS attack. Their study revealed that there are nearly 200,000 exposed devices on the internet, of which about 60,000 could be utilized in DDoS campaigns.

In extreme situations, CUPS servers can enter an infinite loop of requests. "In the worst case, we observed what appeared to be an endless stream of connection attempts and resulting requests from a single inquiry. These streams seem to have no end and will continue until the daemon is terminated or restarted," explained Akamai specialists. "Many of these systems we observed in our tests established thousands of requests, sending them to our testing infrastructure. In some cases, this behavior continued indefinitely."

The ability to carry out a DDoS amplification attack within minutes and at virtually no cost is alarming. IT teams are advised to apply fixes for the mentioned vulnerabilities as soon as possible.