SLP flaw allows DDoS attacks with an amplification factor as high as 2200 times

A flaw in the Service Location Protocol (SLP), tracked as CVE-2023-29552, can allow to carry out powerful DDoS attacks.

A high-severity security vulnerability (CVE-2023-29552, CVSS score: 8.6) impacting the Service Location Protocol (SLP) can be exploited by threat actors to conduct powerful volumetric DDoS attacks.

The Service Location Protocol (SLP) is a legacy service discovery protocol that allows computers and other devices to find services in a local area network without prior configuration. 

Researchers from Bitsight and Curesec reported that attackers exploiting this flaw can leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks. The experts pointed out that the flaw can allow achieving an amplification factor as high as 2200 times, which is one of the largest amplification attacks ever reported. 

The vulnerability impacts more than 2,000 organizations worldwide and over 54,000 SLP instances that are publicly exposed to the Internet, including VMWare ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), SMC IPMI, and 665 other product types.

Bitsight reported the flaw to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and impacted organizations.

In a reflective DoS amplification attack, the attacker sends small requests to a server with the spoofed source IP address of the victim. In turn, the server replies to the victim’s IP address, sending much larger responses than the requests, generating large amounts of traffic to the victim’s system.

“Reflection coupled with service registration significantly amplifies the amount of traffic sent to the victim. The typical reply packet size from an SLP server is between 48 and 350 bytes. Assuming a 29 byte request, the amplification factor — or the ratio of reply to request magnitudes — is roughly between 1.6X and 12X in this situation.” reads the analysis published by Bitsight. “However, SLP allows an unauthenticated user to register arbitrary new services, meaning an attacker can manipulate both the content and the size of the server reply, resulting in a maximum amplification factor of over 2200X due to the roughly 65,000 byte response given a 29 byte request.”

The steps to conduct a reflective DoS amplification attack exploiting this flaw are:

• Step 1: The attacker finds an SLP server on UDP port 427.
• Step 2: The attacker registers services until SLP denies more entries..
• Step 3: The attacker spoofs a request to that service with the victim’s IP as the origin.
• Step 4: The attacker repeats step three as long as the attack is ongoing.

New high-severity vulnerability (CVE-2023-29552) discovered in the Service Location Protocol (SLP) | Bitsight

The experts warn that threat actors will start conducting reflective DoS amplification attacks leveraging CVE-2023-29552 in the coming weeks.

Most of vulnerable SLP instances are in the U.S., the U.K., Japan, Germany, Canada, France, Italy, Brazil, the Netherlands, and Spain.

“To protect against CVE-2023-29552, SLP should be disabled on all systems running on untrusted networks, like those directly connected to the Internet. If that is not possible, then firewalls should be configured to filter traffic on UDP and TCP port 427. This will prevent external attackers from accessing the SLP service.” concludes the report.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SLP)