A newly discovered vulnerability in the Service Location Protocol (SLP) has been found to enable reflective Denial-of-Service (DoS) Amplification attacks, according to cybersecurity researchers at BitSight and Curesec.
The flaw, identified as CVE-2023-29552, allows malicious actors to launch massive DDoS attacks with an amplification rate of up to 2,200 times.
The vulnerability has exposed over 2,000 organizations that are currently using devices that expose around 54,000 exploitable SLP instances.
These vulnerable services include popular devices such as VMWare ESXi Hypervisors, Konica Minolta printers, IBM Integrated Management Modules, and Planex Routers that are widely deployed by organizations across the globe.
The affected devices are owned by several Fortune 1000 companies operating in various sectors, including telecommunications, technology, insurance, healthcare, hospitality, finance, and transportation.
The SLP Vulnerability CVE-2023-29552
Service Location Protocol (SLP) is an older internet protocol originally designed in 1997 to facilitate easy communication among local area networks (LAN) devices.
While SLP was never intended for use on the public internet, many organizations have exposed it on tens of thousands of devices over the years.
The Vulnerability CVE-2023-29552 allows attackers to launch reflective Dos Amplification Attacks on targets by registering arbitrary services on the SLP server, manipulating the content and size of its reply to achieve an amplification factor of up to 2,200 times.
With so many servers now exposed, threat actors could potentially conduct massive DDoS attacks on companies, government entities, and critical services to make them unreachable or cause them to malfunction.
Recognizing the gravity of this flaw, the CISA has been conducting extensive outreach to inform potentially impacted vendors of the vulnerability.
Denial-of-Service Attack with 2,200x Amplification
Typically, a Dos Amplification attack involves sending a request to a vulnerable device with the source IP address of the intended victim. The request is then amplified within the abused service until it reaches its maximum point, and the resulting reply is returned to the victim.
In the case of SLP, the typical size of a reply packet is between 48 and 350 bytes, resulting in an amplification factor of up to 12x. However, with the exploitation of CVE-2023-29552, attackers can register new services on the server until the response buffer is full, leading to a potential amplification factor of 2,200x.
This means a small 29-byte request can be transformed into a massive 65,000-byte response directed at the target. As a result, even a single under-resourced attacker can have a significant impact on a targeted network and/or server via a reflective DoS amplification attack.
Disabling SLP on all systems exposed to the internet or untrusted networks is recommended. If this is not feasible, configuring a firewall that filters traffic on UDP and TCP port 427 can be a good solution to help prevent malicious requests from exploiting SLP services. Leading technology company, VMware, has also taken note of the vulnerability, releasing a bulletin that advises administrators to refrain from exposing older, unsupported ESXi releases to untrusted networks.
