Threat actors can conduct enormous denial-of-service attacks with 2,200X amplification thanks to a new reflected Denial-of-Service (DoS) increasing its vulnerability in the Service Location Protocol (SLP). Researchers at BitSight and Curesec identified this weakness as CVE-2023-29552. They claim that around 2,000 companies are utilizing equipment that exposes about 54,000 exploitable SLP instances that can be used in DDoS amplification assaults.
These are just a few unknowing enterprises worldwide that have implemented vulnerable services. The nations with the most vulnerable locations are (the U.S., Great Britain, Japan, Germany, Canada, France, Italy, Brazil, the Netherlands, and Spain). Multiple Fortune 1000 firms hold these locations in the fields of technology, telecommunications, healthcare, insurance, finance, hospitality, and transportation.
Vulnerability of SLP
An outdated internet protocol called Service Location Protocol (SLP) was developed in 1997 for usage in local area networks (LAN). It makes it simple for devices to connect and communicate with one another by employing a system of service availability across TCP and UDP on port 427.
SLP has been exposed to tens of thousands of machines throughout the years despite its original use never being made public on the Internet. “Service Location offers a dynamic configuration method for local area network applications.
All of these instances, according to BitSight, have the CVE-2023-29552 vulnerability (CVSS score: 8.6), which attackers can use to perform reflection DoS amplification attacks on targets. Amplification factors of up to 2,200x are possible by changing the content and size of the reply thanks to the bug, which enables unregistered attackers to register any SLP services.
With so many servers left open, threat actors may be able to launch large-scale DDoS attacks against organizations, governmental bodies, and vital services to render them unavailable or render them inoperable.
The Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security has performed substantial outreach to alert possible affected suppliers of the vulnerability due to the severe severity of the defect.
DoS amplification attacks entail making a request to a vulnerable device together with the target’s source IP address, allowing the size of the data to increase within the exploited service to its maximum level, and then releasing the response to the victim.
An SLP server’s reply packets typically range in size from 48 to 350 bytes. Therefore the amplification factor can be as high as 12x without any manipulation. However, by registering new services until the response buffer is filled, it is feasible to expand the server’s UDP response size by exploiting CVE-2023-29552.
By doing this, attackers can turn a small 29-byte request into a huge 65,000-byte answer that is aimed at the target, achieving a maximum amplification ratio of 2,200x. An under-resourced threat actor can use a reflecting DoS amplification attack to severely damage a targeted network or server due to this high amplification factor, cautions the BitSight analysis.
A threat actor would use numerous SLP instances to launch such an attack in a real attack scenario, coordinating their reactions and deluging their targets with a lot of traffic. On systems connected to the Internet or unreliable networks, SLP should be disabled to safeguard your organization’s resources against potential misuse.
In the event that this is not possible, it is advised to set up a firewall that filters traffic on UDP and TCP port 427, which serves as the primary entry point for malicious requests that target SLP services.
Additionally, VMware released a bulletin on the subject in which it was made clear that the problem only affects older unsupported ESXi releases and advised administrators to keep them away from unsecured networks.
Conclusion
SLP’s high-severity security vulnerability might be used to perform volumetric denial-of-service attacks. Researchers reported that attackers could use vulnerable instances to launch massive Denial-of-Service (DoS) attacks as high as 2200 times. CVE-2023-29552 (CVSS score: 8.6) affects around 2,000 global companies and 54,000 internet-accessible SLP instances. The U.S., U.K., Japan, Germany, Canada, France, Italy, Brazil, the Netherlands, and Spain have the most SLP-vulnerable organizations. SLP lets computers and other devices find local area networks services like printers, file servers, and other network resources. An attacker might use vulnerable SLP instances to perform a reflection amplification attack and flood a target server with fake traffic by exploiting CVE-2023-29552.
An attacker merely needs to find an SLP server on UDP port 427, register services until SLP forbids new entries, and repeatedly spoof a request to that service using a victim’s IP. This type of attack can amplify DoS attacks by 2,200. Disable SLP on internet-connected systems or filter UDP and TCP port 427 traffic to reduce the hazard. The researchers stated that strong authentication and access rules, which allow only authorized users to access network resources, must be closely monitored and inspected. Cloudflare anticipates SLP-based DDoS attacks to increase in the coming weeks as threat actors test the new DDoS amplification vector. The ESXiArgs ransomware exploited a two-year-old VMware SLP hole in widespread attacks earlier this year.
