Akamai Reveals Another Hole in the UNIX Printing System.
Akamai specialists have identified a new vulnerability in the CUPS (Common Unix Printing System) that can be used for DDoS attacks. To launch an attack, an attacker only needs to send a single packet to a vulnerable CUPS service with Internet access.
According to Akamai, there are over 198,000 vulnerable devices on the network, of which about 34% (more than 58,000) could potentially be used for DDoS attacks. Most dangerously, a hacker would need minimal resources to launch a successful attack: all vulnerable CUPS services can be compromised in seconds.
On September 26, the evilsocket researcher published information about vulnerabilities in CUPS that could be exploited for remote code execution (RCE). The attack involves a chain of four vulnerabilities that allow commands to be executed on a remote server by manipulating the IPP URL.
However, in addition to remote code execution, CUPS can be used to amplify DDoS attacks. The bottom line is that the attacker sends a modified packet that identifies the victim's address as a printer to add to the system. In response, the affected CUPS server starts sending large IPP/HTTP requests to this address
A hacker needs a simple script that directs a malicious UDP packet to a vulnerable CUPS. The CUPS server starts sending requests to the victim's IP address, loading it with traffic and resources.
Attack scheme
In its research, Akamai found that among 58,000 vulnerable devices, some behaved like an "endless loop" — after receiving initial requests, they continued to send thousands of requests, sometimes indefinitely. This behavior results in a significant load on the resources of both the attacked servers and vulnerable CUPS hosts.
Most vulnerable devices run on outdated versions of CUPS, such as 1.3, released in 2007. Lack of updates increases the risk of malicious use of servers for cyberattacks.
The analysis showed that this type of attack can amplify traffic up to 600 times on average and more than 100 times in the worst case. Even if the gain is not that high, the amount of data sent to the victim will be very large, creating a load on the servers.
Experts warn that hackers may exploit the vulnerability in the near future, since vulnerable versions of CUPS remain widespread, and updating systems takes time. Organizations that may be potential targets are encouraged to take steps to protect their networks, including updating CUPS software or blocking access to service ports (UDP/631).
Source
Akamai specialists have identified a new vulnerability in the CUPS (Common Unix Printing System) that can be used for DDoS attacks. To launch an attack, an attacker only needs to send a single packet to a vulnerable CUPS service with Internet access.
According to Akamai, there are over 198,000 vulnerable devices on the network, of which about 34% (more than 58,000) could potentially be used for DDoS attacks. Most dangerously, a hacker would need minimal resources to launch a successful attack: all vulnerable CUPS services can be compromised in seconds.
On September 26, the evilsocket researcher published information about vulnerabilities in CUPS that could be exploited for remote code execution (RCE). The attack involves a chain of four vulnerabilities that allow commands to be executed on a remote server by manipulating the IPP URL.
However, in addition to remote code execution, CUPS can be used to amplify DDoS attacks. The bottom line is that the attacker sends a modified packet that identifies the victim's address as a printer to add to the system. In response, the affected CUPS server starts sending large IPP/HTTP requests to this address
A hacker needs a simple script that directs a malicious UDP packet to a vulnerable CUPS. The CUPS server starts sending requests to the victim's IP address, loading it with traffic and resources.
Attack scheme
In its research, Akamai found that among 58,000 vulnerable devices, some behaved like an "endless loop" — after receiving initial requests, they continued to send thousands of requests, sometimes indefinitely. This behavior results in a significant load on the resources of both the attacked servers and vulnerable CUPS hosts.
Most vulnerable devices run on outdated versions of CUPS, such as 1.3, released in 2007. Lack of updates increases the risk of malicious use of servers for cyberattacks.
The analysis showed that this type of attack can amplify traffic up to 600 times on average and more than 100 times in the worst case. Even if the gain is not that high, the amount of data sent to the victim will be very large, creating a load on the servers.
Experts warn that hackers may exploit the vulnerability in the near future, since vulnerable versions of CUPS remain widespread, and updating systems takes time. Organizations that may be potential targets are encouraged to take steps to protect their networks, including updating CUPS software or blocking access to service ports (UDP/631).
Source
