A flaw in the Service Location Protocol (SLP) tracked as CVE-2023-29552 allows powerful DDoS attacks.
High Severity Security Vulnerability Affecting Service Location Protocol (CVE-2023-29552, CVSS Score: 8.6) (SLP) can be exploited by threat actors to perform high-volume DDoS attacks.
that much service location protocol (SLP) is a legacy service discovery protocol that allows computers and other devices to find services on a local area network without prior configuration.
Researchers at Bitsight and Curesec report that an attacker who exploits this flaw can take advantage of the vulnerable instances to launch massive denial-of-service (DoS) amplification attacks. Experts note that the flaw allows it to achieve an amplification factor of 2200x, the largest of any amplification attack ever reported.
The vulnerability affects more than 2,000 organizations and 54,000 SLPs worldwide that are publicly exposed to the Internet, including VMWare ESXi Hypervisor, Konica Minolta printers, Planex routers, IBM Integrated Management Module (IMM), SMC IPMI, and other 665 product types. Affects instances.
Bitsight has reported this flaw to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and affected organizations.
In a reflection DoS amplification attack, the attacker sends a small request to the server using the victim’s spoofed source IP address. In turn, the server responds to the victim’s IP address, sending a much larger response than the request, generating a large amount of traffic to the victim’s machine.
“Reflection combined with service registration greatly amplifies the amount of traffic sent to victims. Typical response packet sizes from SLP servers range from 48 to 350 bytes. Assuming a 29-byte request, the amplification factor (or ratio of response to request size) is roughly between 1.6x and 12x in this situation.” reads analyze Published by Bitsight. “However, SLP allows unauthenticated users to register arbitrary new services. This means that an attacker can manipulate both the content and size of the server response, so a response of approximately 65,000 bytes given 29 bytes will result in a maximum of over 2200X.” The amplification factor arises on demand.”
The steps to perform a reflection DoS amplification attack exploiting this flaw are as follows:
- Step 1: The attacker looks for an SLP server on UDP port 427.
- Step 2: The attacker registers services until the SLP denies more entries.
- Step 3: The attacker uses the victim’s IP as the source to spoof requests to that service.
- Step 4: The attacker repeats step 3 throughout the attack.
Experts warn that attackers will leverage CVE-2023-29552 to perform reflexive DoS amplification attacks in the coming weeks.
The majority of vulnerable SLP instances are located in the United States, United Kingdom, Japan, Germany, Canada, France, Italy, Brazil, the Netherlands, and Spain.
“To protect against CVE-2023-29552, SLP should be disabled on all systems running on untrusted networks, such as systems directly connected to the Internet.. If this is not possible, the firewall must be configured to filter traffic on UDP and TCP port 427. This prevents external attackers from accessing the SLP service.” finish the report.
Vote for Security Affairs (https://securityaffairs.com/) for Best European Cybersecurity Blogger Awards 2022 – Vote for your winners
Vote for me in the section:
- Teachers – Most Educational Blogs
- The Entertainer – the funniest blog ever
- The Tech Whiz – The Best Tech Blog
- Best social media accounts to follow (@securityaffairs)
Make Security Affairs your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(security work – hacking, SLP)
share