Posted on April 26, 2023 at 4:44 PM
New SLP vulnerability can be exploited to launch DDoS attacks
A recent report has revealed how a vulnerability affecting Service Location Protocol (SLP) can be exploited to launch massive distributed denial-of-service (DDoS) attacks against targets. The security vulnerability has a high severity score.
New SLP vulnerability detected
A recent report published by Bitsight and Curesec researchers Pedro Umbelino and Marco Lux has given the vulnerability an amplification factor of as high as 2000 times. The researchers noted that the vulnerability could launch attacks with a high magnitude.
“Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2,200 times, potentially making it one of the largest amplification attacks ever reported,” the report said.
This vulnerability is being tracked as CVE-2023-29552 (CVSS score: 8.6). The vulnerability appears to have a broad reach as it has affected over 2,000 global organizations and more than 54,000 SLP instances that can be accessed over the internet.
The products vulnerable to this flaw include IBM Integrated Management Module (IMM), Konica Minolta Printers, Planex Routers, SMC IPMI, and VMWare ESXi Hypervisor. The vulnerability has also affected 665 other product types.
The vulnerability many organizations, with those that have vulnerable SLP instances, have a global reach. The top ten countries with the largest vulnerable organizations include Brazil, Canada, France, Germany, Italy, Japan, Spain, the Netherlands, the UK, and the US.
As aforementioned, this vulnerability exists in the SLP. SLP is a service discovery protocol on computers and other devices. SLP is used for a wide range of functions, such as locating services within a local area network, including file servers, printers, and other resources within a network.
SLP vulnerability can overwhelm target servers with bogus traffic
If a hacker can successfully exploit the CVE-2023-29552 flaw, they can take advantage of vulnerable SLP instances to conduct a reflection amplification attack. The attacker can also overwhelm the target server with fake traffic in a DDoS campaign that can cripple an organization’s operations.
The only thing that an attacker needs to conduct this exploit is to locate an SLP server on UDP port 427 and register its service until the SLP fails to support any more entries. The attacker then repeatedly spoofs a request to the service, with the victim’s IP being used as the source address.
If this kind of attack happens, it can create an amplification factor of up to 2,200 and trigger a large-scale DDoS attack. Users who want to mitigate against this attack have been advised to disable SLP on systems connected to the internet. Additionally, users can sort out the traffic sent through UDP and TCP port 427.
The researchers further advised users to adopt robust authentication and access controls. It is also advisable to only allow authorized users to access network resources while ensuring access is monitored and audited.
Cloudflare has already published an advisory on this vulnerability. The cybersecurity company has said that it anticipates that there will be an increase in the number of SLP-based DDoS attacks in the coming weeks. Threat actors are likely to start testing the new DDoS amplification vector.
The US Cybersecurity and Infrastructure Security Agency (CISA) has noted this flaw. CISA has warned about the increased likelihood of attacks that abuse SLP to run a high amplification factor DoS attack by exploiting spoofed source addresses.
The statement by CISA said, “The Service Location Protocol (SLP, RFC 2608) allows an unauthenticated remote attacker to register arbitrary services. This could allow an attacker to use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor.”
These findings also come after a two-year-old bug within VMware’s SLP implementation was exploited by hackers linked to the ESXiArgs ransomware group. The vulnerability has since been patched, but it was used to conduct a wide range of attacks earlier this year.
The company said that it had investigated this flaw and detected that ESXi 7.x and 8.x lines were unaffected. The researchers noted that the attack had only affected the older versions that had reached the end of general support.
Edward Hawkins of VMware noted that the best way to address this vulnerability was to upgrade to a release line unaffected by the bug. The company said that as part of an upgrade to a supported release, ESXi admins needed to ensure that the ESXi hosts were not exposed to untrustworthy networks and to disable SLP.