New SLP Vulnerability Could Let Attackers Launch 2200x Powerful DDoS Attacks
Details have emerged about a high-level security vulnerability affecting the Service Location Protocol (SLP) that can be armed to launch volumetric denial-of-service attacks against targets.
“Attackers exploiting this vulnerability can leverage a vulnerable instance to launch massive Denial-of-Service (DoS) amplification attacks by factors as high as 2200 times, potentially making it one of the largest amplification attacks ever reported,” Bitsight and Curesec researcher Pedro Umbelino and Marco Lux said in a report shared with The Hacker News.
Vulnerabilities, which have been assigned identifiers CVE-2023-29552 (CVSS score: 8.6), said to affect more than 2,000 global organizations and more than 54,000 SLP instances accessible via the internet.
This includes VMWare ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), SMC IPMI, and 665 other product types.
The top 10 countries with the most organizations having vulnerable SLP instances are the US, UK, Japan, Germany, Canada, France, Italy, Brazil, Netherlands and Spain.
SLP is a service discovery protocol that enables computers and other devices to discover services on a local area network such as printers, file servers, and other network resources.
A successful exploit of CVE-2023-29552 could allow an attacker to take advantage of a vulnerable SLP instance to launch reflection amplification attack and flooding the target server with bogus traffic.
To do so, all an attacker needs to do is find an SLP server on UDP port 427 and register “service until SLP rejects more entries”, followed by repeatedly fake request to that service with the victim’s IP as the source address.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
Such an attack can generate an amplification factor of up to 2,200, resulting in a large-scale DoS attack. To reduce threats, users are advised to disable SLP on systems that are directly connected to the internet, or filter traffic on UDP and TCP port 427.
“It is equally important to enforce strong authentication and access controls, allowing only authorized users to access the correct network resources, with access being strictly monitored and audited,” the researchers said.
Web security company Cloudflare, in a advisorsaid it “expects the prevalence of SLP-based DDoS attacks to increase significantly in the coming weeks” as threat actors experiment with new DDoS amplification vectors.
The findings come when a now-patched two-year-old flaw in VMware’s SLP implementation was exploited by actors associated with the ESXiArgs ransomware in a widespread attack earlier this year.
