Details have emerged about a high-severity security vulnerability affecting the Service Location Protocol (SLP). This vulnerability could be weaponized to launch a mass denial of service attack against a target.
Bitsight and Curesec researcher Pedro Umbelino said, “An attacker exploiting this vulnerability could leverage vulnerable instances to launch a massive denial of service (DoS) amplification attack with a multiplier of up to 2200x. This could be one of the largest amplification attacks ever reported.” said Marco Lux in a report shared with HackerNews.
Vulnerabilities with assigned identifiers CVE-2023-29552 (CVSS score: 8.6) is said to affect over 2,000 global organizations and over 54,000 SLP instances accessible over the Internet.
This includes VMWare ESXi hypervisors, Konica Minolta printers, Planex routers, IBM Integrated Management Modules (IMMs), SMC IPMI, and 665 other products.
The top 10 countries with the most organizations with vulnerable SLP instances are the United States, United Kingdom, Japan, Germany, Canada, France, Italy, Brazil, the Netherlands, and Spain.
SLP is a service discovery protocol that allows computers and other devices to find services within a local area network, such as printers, file servers, and other network resources.
Successful exploitation of CVE-2023-29552 could allow an attacker to leverage a susceptible SLP instance to launch a reflection amplification attack to overwhelm the target server with bogus traffic.
To do this, all the attacker needs to do is find an SLP server on UDP port 427, register a “service until SLP denies further entries”, and then use the victim’s IP as the source address. is to repeatedly spoof requests to that service as
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Save my seat!
This kind of attack can produce an amplification factor of up to 2,200x and cause a massive DoS attack. To mitigate this threat, we recommend disabling SLP on Internet-facing systems or filtering traffic on UDP and TCP port 427 instead.
“It is equally important to enforce strong authentication and access controls, ensure that only authorized users have access to the correct network resources, and closely monitor and audit access,” said the researchers.
Web security firm Cloudflare said in an advisory that it “expects the prevalence of SLP-based DDoS attacks to increase significantly in the coming weeks” as attackers experiment with new DDoS amplification vectors. I’m here.
The findings are due to a two-year-old patched vulnerability in VMware’s SLP implementation that was exploited earlier this year in a widespread attack by actors associated with the ESXiArgs ransomware.
