Recently patched CUPS flaw can be used to amplify DDoS attacks

Summary

A recently disclosed vulnerability in the Common Unix Printing System (CUPS) open-source printing system can be exploited by threat actors to launch distributed denial-of-service (DDoS) attacks with a 600x amplification factor.

Follow our technical breakdown of the flaw, the potential DDoS attack scenario, and advice on mitigations.

A Deep Dive into Vulnerability CVE-2021-27212

The vulnerability, dubbed CVE-2021-27212, resides in the Internet Printing Protocol (IPP) implementation of CUPS.

The IPP is designed to provide universal solutions for printing documents from the internet.

Specifically, the flaw resides in the “Get-Printer-Attributes” IPP request.

Threat actors can exploit this by sending a small crafted request to a CUPS server, which in turn triggers a response up to 600 times larger, hence leading to a significant amplification factor for DDoS attacks.

The DDoS Threat Picture

The Common Unix Printing System underpins many of today’s networked printing systems.

This means that many connected devices running Linux-based systems, one of the most widely used systems in the world, including the popular IoT devices, could be used as unwitting conduits for amplified DDoS attacks.

Moreover, the amplification factor inherent in this type of attack can fill a network’s bandwidth quickly, leading to service disruption or complete network shutdown in severe cases.

Real-World Example

Historically, we’ve seen similar DDoS amplification attacks exploiting the Simple Service Discovery Protocol (SSDP) and Network Time Protocol (NTP).

An attack on the GitHub platform in 2018, which peaked at 1.35Tbps, was instigated by manipulating these protocols.

This recent CUPS flaw represents a potential similar risk.

Addressing the Flaw

The good news is that the vulnerability has already been patched, as developers at Apple were quick to release an updated version of CUPS (version 2.3.3op2).

System admins and network managers are strongly advised to apply the patch at the earliest opportunity to mitigate any potential exploitation.

Alternatively, a defensive strategy against this type of DDoS attack can include rate limiting on your network’s ingress traffic, although this is more of a secondary defence.

Further, for those running CUPS servers publicly, they should be isolated from external non-essential traffic as much as possible as a best practice.

Follow-Up Reading

• CVE-2021-27212 Details – MITRE
  
• New DDoS Vector with NTP Reflection/Amplification – The Hacker News
  
• CUPS 2.3.3op2 Change Log – Printing.org