Using your Printer Ports to Attack?

Posted on

Do you have a customer whose printer ports are open and vulnerable and can now be used for DDoS? Is your network’s “Internet Print Protocol” (IPP) port open and ready for exploitation?

Last week, the Shadowserver Foundation alerted a “large increase in queries on 631/UDP seen in our sensors due to recent CUPS RCEs disclosure. These include callback attempts.” This was part of a community effort watching for the “threat actor” exploration of vulnerabilities highlighted by Attacking UNIX Systems via CUPS (Simone Margaritelli).

An alert from Shadowserver’s HoneyNet Sensors means that threat actors are exploring the risk and preparing attack vectors!

Luckily, researchers at Akamai kept digging and found that the CUPS IPP risk could be exploited for DDoS before the threat actors discovered the vector: When CUPS Runneth Over: The Threat of DDoS.

Are you at Risk?

Shadowserver now has two new reports to help you find your network’s “IPP Exploitation” risk.

Daily Report: IP data on exposed printer instances on port 631/TCP in our Open IPP report: https://shadowserver.org/what-we-do/network-reporting/open-ipp-report/ This will help you determine whether your access list, firewall, and other protections are allowing packets to reach port 631.

Special Report: The Shadowserver Foundation has a one-off Special report on vulnerable CUPS instances: https://shadowserver.org/what-we-do/network-reporting/vulnerable-cups-special-report/

This special report scan found 107,289 instances on 2024-09-27 (based on a scan from an external party—thanks!). The top affected and vulnerable countries are the US (over 20K) and Germany (nearly 13K).

What actions do you take?

Please read through the Shadowserver Reports (linked above). They provide a starting point for your actions. What you do depends on your point of view, your organization, and your network.

Network Owners

Do you want people outside your network to run print jobs inside your network? It is recommended that you use packet and firewall filters to block port 631 UDP/TCP on the edge of your network. Then, explore each host inside your network. Do you need to have the IPP ports open across all the departments?

Then, patch CUPs on your Linux systems. Yes, minimize the risk with ACLs to prevent exploitation. Next, patch the system (IMHO)

Service Providers and ISPs

Pull down your latest Shadowserver Foundation Reports to determine how many customers are opening port 631. The new When CUPS Runneth Over: The Threat of DDoS can leverage your customers to generate DDoS inside your network. Consider notifying your customer of the risk or adding port 631 UDP/TCP to your Exploitable Port Filter on the edge of your network.

What is Exploitable Port Filtering? These are ACLs used by Broadband, ISPs, Cloud, and Mobile companies to block ports that should not be on the Internet. The traffic should stay inside the organization. Operator have been using this type of filtering for decades to protect their customers, their business, and the Internet.

CSIRT/CERT Teams

Communicate the risk to your constituents. The Shadowserver Foundation reports would list your constituents who are at risk. Post an advisory to your community. Consider reaching out to the constituents who are most at risk. Work with them to mitigate their IPP/CUPS risk and validate the recommendations’ actions.

How significant is the “Exposed Internet Print Protocol (IPP) Risk?

The Shadowserver Foundation Dashboard can help countries determine the extent of their risk. Start with the world view here:

https://dashboard.shadowserver.org/statistics/combined/tree/?day=2024-09-26&source=scan&source=scan6&tag=ipp&geo=all&data_set=count&scale=log

Then select the country.

Where to get more information?

  • Akamai’s blog on how exposed CUPS services can also be leveraged in DDoS amplification attacks: When CUPS Runneth Over: The Threat of DDoS (https://www.akamai.com/blog/security-research/october-cups-ddos-threat)