Decade-Old Linux Vulnerability Can Be Exploited for DDoS Attacks on CUPS

Decade-Old Linux Vulnerability Can Be Exploited for DDoS Attacks on CUPS

This article explores the Linux vulnerability discovered by Simone Margaritelli, which, according to cybersecurity companies Uptycs and Akamai, can be exploited for additional malicious purposes, including RCE and DDoS attacks against the Common Unix Printing System (CUPS).

Hackread.com recently reported a critical Linux vulnerability, discovered by cybersecurity researcher Simone Margaritelli (aka evilsocket), which could allow attackers to gain complete control of GNU/Linux systems, potentially allowing Linux Remote code execution. This decade-old flaw affects all GNU/Linux systems and has a severity score of 9.9 out of 10, indicating immense potential for damage if exploited. 

As per the latest updates, new findings from Cloud computing giant, Akamai, and cybersecurity firm, Uptycs, highlight an even more immediate concern: exploiting the issue for devastating DDoS attacks and carrying out remote code execution (RCE) in Linux.

Uptycs Research

Uptycs threat research team identified vulnerabilities in CUPS (Common UNIX Printing System), which can be exploited to install malicious printers and execute unauthenticated remote code execution attacks. CUPS is a widely used open-source printing system for Linux and Unix-like operating systems, allowing users to share printers on a network and manage printing jobs. 

The vulnerability resides in the cups-browsed daemon, a component that searches for available network printers. An attacker can exploit this flaw by sending a malicious packet to a vulnerable CUPS service. This packet tricks the service into fetching a non-existent printer description file from a target server specified by the attacker.

According to researchers, attackers can create a malicious PPD file and send it to a vulnerable CUPS server, requiring the cups-browsed daemon to be enabled, UDP port 631 open, and the victim to print to the malicious printer.

Akamai Research

Researchers at Akamai SIRT (Security Incident Response Team) also discovered a flaw that allows attackers to exploit vulnerable CUPS servers and turn them into unwitting amplifiers for distributed- denial-of-service (DDoS) attacks, allowing attackers to exploit vulnerable servers and turn them into unwitting DDoS hosts.

According to the company’s blog post published on October 01, 2024, the attack involves misinterpreting a UDP packet, downloading malicious data, and establishing multiple TCP connections to a target system, potentially causing an outage. 

The Scope of the Problem:

  • Akamai identified over 198,000 internet-connected devices running CUPS.
  • Roughly 34% (over 58,000) of these devices were vulnerable to the attack.
  • Outdated CUPS versions (released as far back as 2007) were the most susceptible.
  • Testing revealed potential amplification factors of up to 600x, significantly increasing attack power.

The issues discussed in these reports are directly related to the Linux vulnerability discovered by Margaritelli because his identified vulnerability involves a remote code execution exploit chain that targets the Common Unix Printing System (CUPS).

This exploit chain leverages several vulnerabilities, including CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed), CVE-2024-47177 (cups-filters), and CVE-2024-47076 (libcupsfilters).

To stay protected, install the latest version of CUPS and ensure all system components, such as libcupsfilters, libppd, and cups-filters, are updated. Disable or configure cups-browsed daemon, if printing isn’t essential, or restrict access to it to trusted devices. Strengthen network security with firewalls, intrusion detection systems, and IPS, and regularly review and update security policies.

  1. Telegram-Controlled TgRat Trojan Targets Linux Servers
  2. Critical Flaws Found in GNU C Library, Major Linux Distros at Risk
  3. Goldoon Botnet Hits D-Link Devices by Exploiting 9-Year-Old Flaw
  4. 7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike
  5. 9-year-old Windows flaw dropped ZLoader malware in 111 countries
Total
0
Shares
Related Posts