A high-severity vulnerability has been discovered in SLP (Service Location Protocol) tracked as CVE-2023-29552 with a CVSS score of 8.6 out of 10. The vulnerability, if exploited, allows threat actors to carry out powerful volumetric DDoS attacks with an amplification factor as high as 2,200 times, one of the highest amplification attacks ever reported.
The vulnerability was discovered by Bitsight and Curesec researchers who report that more than 2,000 organisations globally are affected by the issue with over 54,000 SLP instances exposed to the internet. These include VMware ESXi hypervisors, Planex Routers, IMB’s Integrated Management Module (IMM), Konica Minolta printers and 666 other product types.
A typical DoS amplification attack works with the attacker finding an SLP server on UDP port 427 and then spoofing a request to the particular service with the victim’s IP as the origin. The second step is then repeated for as long as the attack is ongoing, that is, either when the service crashes or the attacker decides to stop. These kinds of attacks have an amplification factor of 1.6 to 12 times.
However, when leveraging CVE-2023-29552, once the attacker has found an SLP server on UDP port 427, they start registering services until SLP denies more entries. After that, the attacker will pivot back to sending spoofed requests to the server with the victim’s IP as the origin and keeps repeating that for as long as the attack is being carried out.
The setup phase only needs to happen once to fill the server’s response buffer. The attack also lets the attacker manipulate both the content and size of the server reply by registering random new services. This makes the interaction between the server and the attacker would look like a service registration loop until the server buffer is full, before spoofed requests overwhelm the server.
The researchers warn that threat actors can start leveraging this flaw in the coming few weeks. At the moment, the only countermeasure is to disable SLP on all systems running on untrusted networks, like the ones exposed to the internet. In case that’s not possible, firewalls should be configured to filter traffic on UDP and TCP port 427 to prevent attackers from accessing the SLP service.