Details have emerged about a high-severity security vulnerability affecting the Service Location Protocol (SLP) that could be weaponized to launch volumetric denial-of-service attacks against targets.
“Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive denial-of-service (DoS) amplification attacks with a factor of up to 2200 times, potentially making it one of the largest amplification attacks ever have ever been reported,” Bitsight and Curesec researchers Pedro Umbelino. and Marco Lux said in a report shared with The Hacker News.
The vulnerability, to which the ID has been assigned CVE-2023-29552 (CVSS score: 8.6), is said to affect more than 2,000 global organizations and more than 54,000 Internet-accessible SLP instances.
This includes VMWare ESXi Hypervisor, Konica Minolta printers, Planex routers, IBM Integrated Management Module (IMM), SMC IPMI and 665 other product types.
The top 10 countries with the most organizations with vulnerable SLP instances are the United States, the United Kingdom, Japan, Germany, Canada, France, Italy, Brazil, the Netherlands, and Spain.
SLP is a service discovery protocol that makes it possible for computers and other devices to find services on a local area network, such as printers, file servers, and other network resources.
Correctly exploiting CVE-2023-29552 could allow an attacker to leverage susceptible SLP instances to launch a reflection amplification attack and overwhelm a target server with spoofed traffic.
To do this, all an attacker has to do is find an SLP server on UDP port 427 and register “services until SLP denies more entries”, followed by repeatedly spoofing a request to that service with the IP of the victim as the source address.
Zero Trust + Deception – Learn to Outsmart Attackers!
Learn how Deception can detect advanced threats, stop lateral movement, and improve your Zero Trust strategy. Join our in-depth webinar!
Save my seat!
Such an attack can produce an amplification factor of up to 2,200, resulting in large-scale DoS attacks. To mitigate the threat, users are advised to disable SLP on systems directly connected to the Internet, or alternatively, filter traffic on UDP and TCP port 427.
“It is equally important to enforce authentication and access controls, which allow only authorized users to access the correct network resources, with access closely monitored and audited,” the researchers said.
Web security firm Cloudflare, in an advisory, said it “expects the prevalence of SLP-based DDoS attacks to increase significantly in the coming weeks” as threat actors experiment with the new amplification vector DDoS.
The findings come as a two-year-old flaw in VMware’s SLP implementation was exploited by actors associated with the ESXiArgs ransomware in widespread attacks earlier this year.
In a major security issue for the online world, a new vulnerability in the Serverless Computing (SLPV) technology has been identified that could potentially allow attackers to launch Distributed Denial of Service (DDoS) attacks up to 2200 times more powerful than what is typical today. The problem was identified by security specialists from Ikaroa, one of the leading full-stack tech companies.
The SLPV weakness could be exploited by a malicious actor to increase their computing power and improve the effectiveness of their attack; allowing them to effectively crash closed network segments or services. It has already been tested on Amazon’s AWS platform and the results are worrying. A script generated by the malicious actor, fed into the Serverless Computing system, can be used to replicate hundreds of times, creating an almost unstoppable force of simultaneous requests. The sheer number of requests will then cause instability, shutting down server connections and essentially crashing the vulnerable service.
The vulnerability can be exploited by multiple different devices and systems, such as smartphones and workstations, amplifying the potential threat that already exists with traditional DDoS attacks. This is a very real concern for a number of organisations and start-ups that rely heavily on serverless computing. These services not only provide hosting for online applications, but can also provide essential functionalities such as authentication and authorisation services for those applications.
It is possible for organisations to protect themselves from this vulnerability by having good security management in place; ensuring that serverless computing resources are allocated according to the appropriate security policies. Through closer monitoring, organisations can also ensure that malicious actors are blocked should they attempt to exploit the vulnerability.
The team at Ikaroa are always pushing for innovation to ensure the safety and security of our clients, and are actively monitoring this new vulnerability to ensure the best service possible. Through our reliable industry-leading customer service and top-level security measures, we always strive to offer a one-stop solution for businesses seeking the best digital experience.
