Security researchers have discovered a high-severity vulnerability in the Service Location Protocol (SLP). This vulnerability could start as one of the largest DDoS amplification attacks ever seen.
BitSight and Curesec state that bug CVE-2023-29552, classified under CVSS 8.6, could allow an attacker to launch a reflected amplification attack with a multiplier of up to 2200x.
SLP was created in 1997 as a dynamic configuration mechanism for applications within a local area network, allowing systems on the same network to discover and communicate with each other.
Although not designed to be available on the public Internet, the researchers used the VMware ESXi hypervisor, Konica Minolta printers, Planex routers, IBM Integrated Management Module (IMM), SMC IPMI, and more.
“Given the severity of the vulnerability and the potential consequences of exploitation, Bitsight has coordinated public disclosure efforts with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and affected organizations. did,” the company said.
“Bitsight also worked with denial of service teams of major IT service management companies to assist in remediation. CISA conducted extensive outreach to potentially affected vendors.”
Read more about SLP threat: Legacy VMware bug exploited in global ransomware campaign
The top three countries with SLP-enabled instances running are the US, UK, and Japan. To protect against CVE-2023-29552, researchers advised the organization to disable her SLP on all systems running on untrusted networks, such as those directly connected to the Internet. .
If that is not possible, you should configure your firewall to filter traffic on UDP and TCP port 427 to prevent attackers from accessing SLP.
Amplification attacks work by sending small requests to a server with a spoofed source IP address that matches the victim’s IP. The server responds to the victim’s her IP with a much larger response than the request, overwhelming its system.
BitSight explains that when combined with service registration, this kind of attack can be even more serious.
“Normal response packet sizes from SLP servers are 48-350 bytes. Assuming a 29-byte request, the amplification factor (i.e., the ratio of response size to request size) in this situation is approximately 1.6. It will be between X and 12X.
“However, SLP allows unauthenticated users to register new services of their choice. In other words, an attacker can manipulate both the content and size of the server’s response. resulting in a response of approximately 65,000 bytes, so the maximum amplification factor is over 2200. Request.”
