Akamai Warns CUPS Vulnerability Also Brings New Threat of DDoS Attacks (akamai.com)
- Reference: 0175194095
- News link: https://it.slashdot.org/story/24/10/05/0413201/akamai-warns-cups-vulnerability-also-brings-new-threat-of-ddos-attacks
- Source link: https://www.akamai.com/blog/security-research/october-cups-ddos-threat
But Tuesday [2]generic (Slashdot reader #14,144) shared [3]this new warning from Akamai :
> Akamai researchers have confirmed a new attack vector using CUPS that could be leveraged to stage distributed denial-of-service (DDoS) attacks. Research shows that, to begin the attack, the attacking system only needs to send a single packet to a vulnerable and exposed CUPS service with internet connectivity.
>
> The Akamai Security Intelligence and Response Team (SIRT) found that more than 198,000 devices are vulnerable to this attack vector and are accessible on the public internet; roughly 34% of those could be used for DDoS abuse (58,000+). Of the 58,000+ vulnerable devices, hundreds exhibited an "infinite loop" of requests.
>
> The limited resources required to initiate a successful attack highlights the danger: It would take an attacker mere seconds to co-opt every vulnerable CUPS service currently exposed on the internet and cost the attacker less than a single US cent on modern hyperscaler platforms.
[1] https://www.theregister.com/2024/09/26/cups_linux_rce_disclosed/
[2] https://www.slashdot.org/~generic
[3] https://www.akamai.com/blog/security-research/october-cups-ddos-threat
Not CUPS! (Score:5, Informative)
Sigh This isn’t CUPS, this is an optional add-on called cups-browsed that you don’t need anymore
Re:Not CUPS! (Score:5, Interesting)
If it isn't needed then why is it included in default installs?
Re: (Score:1)
It's needed for AirPrint, AFAIK.
Re: (Score:2)
> It's needed for AirPrint, AFAIK.
No, it has two uses: to support old CUPS servers (1.3 and earlier) for newer CUPS clients, and to auto-add AirPrint/IPP Everywhere/Mopria printers for applications that refuse to use the CUPS APIs that were introduced in CUPS 1.1... As long as you add the printers you want to use, you won't need it running.
Re: Not CUPS! (Score:4, Insightful)
Because Plug&Play, that's why. Printers that connect to your system automaGically. The problem is, if printers can do that, so can hackers.
A cynicist would say that the main cause of the problem is in Un*x systems wanting to be like Windows.
Re: (Score:3)
> If it isn't needed then why is it included in default installs?
As far as I can tell, from looking at our various servers... it isn't. And on some workstation installs where it is present... it's not enabled by default.
Re: (Score:2)
>> If it isn't needed then why is it included in default installs?
> As far as I can tell, from looking at our various servers... it isn't. And on some workstation installs where it is present... it's not enabled by default.
Oddly enough, it's running on my Linux Mint Ulyana laptop. I just killed it and was still able to print. I'll see if that capability survives a reboot.
Re: (Score:2)
systemctl disable --now --global --and-with-extreme-prejudice cups-browsed
Okay, the third option flag is my own wishful thinking...
I remember (Score:3)
The point is that too many fscking people hook shit up to the global Internet that shouldn't be. Hell, I remember when Windoze 95 was a thing it was a sport to go surfing people's "private" stuff they published to their entire university and the Internet. I remember running across some douche's video of his girlfriend that I emailed back to her to tell her (from his address) about it after I got his entire address book and email archives.
I remember back in 2017 when a hurricane hit the Texas gulf coast. People were panicking and running the gas stations dry. I used an exploit to vector friends and family into places that still had gas from my hotel room. I used Shodan. For better or worse, there was some kind of gas telemetry system that a lot of gas stations were using that would publicly squawk its kind of gas, volume remaining, water contamination, and God only knows what else to the global Internet. I did find out that the regional hospital had some ungodly amount of jet fuel stored in a tank under their parking lot.
Re: (Score:2)
> too many fscking people hook shit up to the global Internet that shouldn't be.
Strongly agree but are printers really a good "target" here?
Look, I don't want my fridge connected to the Internet. Smart fridges are the biggest "who is this for?!" product that I can think of.
I don't like "smart" TVs either ... I mean, I own one, but it is not connected directly to the Internet. I have a small Linux mini-pc that I set up for streaming entertainment.
But I've had printers connected to my local network for a lot longer than the "Internet of Things" has ever been a thing.
I'm not even the type
Re: (Score:2)
You can't fix people. The internet could have been fixed at some point in the past though. The problem is that the internet is only designed to be robust against outside interruption instead of the people on it.
All internet participants should be contractually obligated to do ingress/egress filtering and there should be [1]some way to push filters upstream [ietf.org]. Then the people who put amplification services on the internet get on a blacklist and everyone can just ignore them, without having to use Cloudflare/Akama
[1] https://datatracker.ietf.org/doc/html/draft-eddy-sdnrg-customer-filters-01
Re: (Score:2)
Meant to say "Now it's a trillion dollar business to patch the broken by design internet".
If this is so easy to hack... (Score:3)
...why not write a worm that discovers affected systems and disables cups-browsed on them? Seems less dangerous than letting them all become DDoS bots.
Re: (Score:2)
Then you become the criminal.
Re: (Score:2)
There have been some similar cases where security forces have managed to get a court order allowing them to do similar things. Not actual worms, but scanning and running code on the vulnerable devices to disable the function.
mere seconds ? (Score:2)
Can anyone really send out a single packet to everything accessible from the internet that fast?
Sure this might be a problem, but stop the hyperbole train.
Re: (Score:2)
Recent DDoS numbers were 400million RPS, which I guess makes 10 seconds to do the whole of IPv4 space, where most applicable devices on the internet will be found, so I guess the answer is in fact yes, though they would want longer than that to prepare the attack.
Scare tactics from a CDN (Score:2)
Sounds like somebody is falling short on sales projections and is trying to drum up new business by scaring website operators "YOU COULD BE ATTACKED!!"
Remember people mocking this exploit on slashdot? (Score:2)
Only a couple weeks ago. I won't name usernames but some people should feel bad for saying it was fake or overhyped just because it was first publicized on twitter
Was that the "all Linux systems vulnerable" crap? (Score:2)
That person really needs to be ignored....
Re: Was that the "all Linux systems vulnerable" cr (Score:3)
He is an attention seeker and an unethical person, yet the issue with cups-browsed is real and not benign at all.
IMHO, the whole cups-browsed project needs to be discontinued. Not only is the quality of its code poor, but it's a prime example of the "insecure by design" paradigm. The protocol according to which cups-browsed works was obviously not designed with security in mind, and it's DDOS-friendly as a result.
Either discontinue it, or subject it to a total redesign (of the protocol) and re-implementatio