Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

SLP Vulnerability Allows DoS Attacks With Amplification Factor of 2,200

A high-severity vulnerability in the Service Location Protocol can be exploited to launch massive DoS amplification attacks.

A high-severity vulnerability in the Service Location Protocol (SLP) can be exploited to launch denial-of-service (DoS) attacks with a high amplification factor, security researchers at Bitsight and Curesec warn.

A legacy internet protocol created in 1997, SLP is used for local network service discovery, without prior configuration, and can be scaled from small to large enterprise networks. The protocol was not intended to be exposed to the public internet.

Tracked as CVE-2023-29552 (CVSS score of 8.6), the newly disclosed vulnerability exists because SLP allows unauthenticated, remote attackers to register arbitrary services.

“This could allow the attacker to use spoofed UDP traffic to conduct a denial-of-service attack with a significant amplification factor,” a NIST advisory explains.

The vulnerability allows for a DoS amplification factor of 2,200, Bitsight says. This is possible because attackers could combine a typical reflective DoS amplification attack with service registration to increase the amount of traffic sent to the victim.

“Assuming a 29-byte request, the amplification factor is roughly between 1.6X and 12X. However, SLP allows an unauthenticated user to register arbitrary new services, meaning an attacker can manipulate both the content and the size of the server reply, resulting in a maximum amplification factor of over 2200X due to the roughly 65,000-byte response given a 29-byte request,” Bitsight explains.

To exploit the vulnerability for DoS amplification, an attacker needs to find an SLP server on UDP port 427, register services until SLP denies more entries, send a request to the service by spoofing the victim’s IP as the origin, and then repeat the last step while the attack is ongoing.

“Depending on the software and/or system being used, the size of the reply can potentially reach the practical limit of a single UDP packet, which is typically 65,536 bytes,” Bitsight notes.

Advertisement. Scroll to continue reading.

In February 2023, more than 2,000 global companies were using SLP, with over 54,000 SLP instances found to be accessible from the internet. According to Curesec, currently there are roughly 34,000 exploitable systems with SLP.

Bitsight says it has identified vulnerable instances belonging to Fortune 1000 organizations in the finance, insurance, healthcare, hospitality, manufacturing, technology, telecommunications, and transportation sectors.

More than 670 different product types were found vulnerable, including IBM Integrated Management Module (IMM), HP printers, Konica Minolta printers, Planex routers, VMware ESXi servers, and many others.

On Tuesday, VMware warned that, while currently supported ESXi releases (ESXi 7.x and 8.x) are not impacted by CVE-2023-29552, releases that are no longer supported, such as 6.7 and 6.5, are vulnerable. Customers are advised to upgrade to a supported release as soon as possible.

According to Cloudflare and Netscout, SLP is likely to soon be abused to amplify distributed denial-of-service (DDoS) attacks, unless organizations take the necessary precautions to secure the SLP instances they use.

Disabling SLP on systems running on untrusted networks should prevent exploitation of CVE-2023-29552. Setting firewall rules to filter traffic on UDP and TCP port 427 should also mitigate the risks associated with the flaw.

On Tuesday, the US Cybersecurity and Infrastructure Security Agency (CISA) urged network administrators to review the available information on CVE-2023-29552 and to “consider disabling or restricting network access to SLP servers” to prevent exploitation.

Related: Mitel Devices Abused for DDoS Vector With Record-Breaking Amplification Ratio

Related: DDoS Attacks Abuse Network Middleboxes for Reflection, Amplification

Related: Researchers Show How Censorship Systems Can Be Abused for DDoS Amplification

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.