New SLP Vulnerability Could Enable Massive DDoS Attacks

Written by

Security researchers have discovered a high-severity vulnerability in the Service Location Protocol (SLP) which could be exploited to launch among the largest DDoS amplification attacks ever seen.

BitSight and Curesec said the CVSS 8.6-rated bug CVE-2023-29552 could enable attackers to launch reflective amplification attacks with a factor as high as 2200 times.

SLP was created in 1997 as a dynamic configuration mechanism for applications in local area networks, allowing systems on the same network to find and communicate with each other.

Although it was not designed to be made available on the public internet, the researchers found it running in over 2000 organizations and over 54,000 SLP-speaking instances globally, including on VMware ESXi hypervisors, Konica Minolta printers, Planex routers, IBM Integrated Management Modules (IMMs), SMC IPMI and more.

“Given the criticality of the vulnerability and the potential consequences resulting from exploitation, Bitsight coordinated public disclosure efforts with the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and impacted organizations,” the firm said.

“Bitsight also engaged with denial-of-service teams at major IT service management companies to help with remediation. CISA conducted extensive outreach to potentially impacted vendors.”

Read more on SLP threats: Legacy VMware Bug Exploited in Global Ransomware Campaign

The top three countries where SLP-speaking instances are running are the US, UK and Japan. To protect against CVE-2023-29552, researchers advised organizations to disable SLP on all systems running on untrusted networks, like those directly connected to the internet.

If they can’t do that, firewalls should be configured to filter traffic on UDP and TCP port 427 to prevent attackers from accessing SLP, it said.

Amplification attacks work by sending small requests to a server with a spoofed source IP address that matches the victim’s IP. The server replies to the victim’s IP with much larger responses than the requests, overwhelming that system.

When coupled with service registration, this kind of attack can be even more serious, BitSight explained.

“The typical reply packet size from an SLP server is between 48 and 350 bytes. Assuming a 29 byte request, the amplification factor – or the ratio of reply to request magnitudes – is roughly between 1.6X and 12X in this situation,” it said.

“However, SLP allows an unauthenticated user to register arbitrary new services, meaning an attacker can manipulate both the content and the size of the server reply, resulting in a maximum amplification factor of over 2200X due to the roughly 65,000 byte response given a 29 byte request.”

What’s hot on Infosecurity Magazine?