New vulnerability found in the Service Location Protocol can allow attackers to amplify Denial-of-Service attacks to be over 2200 times more powerful

01.05.23

Threat Intelligence Alerts

Researchers from Bitsight and Curesec have published an article detailing their joint discovery of a new high-severity vulnerability affecting the Service Location Protocol (SLP), which is used to help devices discover services in a local area network, such as printers and file servers.

The vulnerability, tracked as CVE-2023-29552, is caused by SLP allowing an unauthenticated user to register arbitrary new services on a server hosting SLP. By allowing this, the attacker can artificially inflate the response from the server by forcing it to respond with confirmation of the new fake services, which can be named long names to increase the size of the packets the server must send back.

This vulnerability allows threat actors to artificially raise the ratio of response network traffic to request network traffic. Typically this response traffic is between 1.6 and 12 times higher than the request traffic; however, with this vulnerability, an attacker can raise the response network traffic to be over 2200 times higher.

Bitiste researchers noted that “this extremely high amplification factor allows for an under-resourced threat actor to have a significant impact on a targeted network.”

Although SLP was never intended to be used by internet-facing servers, the researchers have found through internet-wide scans that over 54,000 public devices use SLP.

All devices tested by Bitsight and Curesec were found to be vulnerable, which included VMware ESXI Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), and SMC IPMI. They were able to identify over 2,000 organisations that had devices vulnerable to this attack, many of which were Fortune 1000 organisations.

The countries with vulnerable devices were the US, the UK, Japan, and Germany.

The main protection against CVE-2023-29552 is to disable SLP on all systems running on untrusted networks, such as those directly connected to the internet. If that is not possible, the researchers recommend configuring firewalls to filter traffic on UDP/TCP port 427, as doing so would prevent external attackers from accessing the SLP service.

https://www.bitsight.com/blog/new-high-severity-vulnerability-cve-2023-29552-discovered-service-location-protocol-slp – April 25th

https://blogs.vmware.com/security/2023/04/vmware-response-to-cve-2023-29552-reflective-denial-of-service-dos-amplification-vulnerability-in-slp.html – April 25th

https://www.bleepingcomputer.com/news/security/new-slp-bug-can-lead-to-massive-2-200x-ddos-amplification-attacks/ – April 25^th