Security researchers have discovered a high-severity vulnerability in the Service Location Protocol (SLP) that could be exploited to launch one of the largest DDoS amplification attacks ever seen.
BitSight and Curesec said the CVSS 8.6 CVE-2023-29552 bug could allow attackers to launch reflective amplification attacks by a factor of up to 2200 times.
SLP was created in 1997 as a dynamic configuration mechanism for applications on local area networks, allowing systems on the same network to find and communicate with each other.
Although it was not designed to be available on the public Internet, the researchers found that it was running in more than 2000 organizations and more than 54,000 instances of SLP speech worldwide, including VMware ESXi hypervisors, Konica Minolta printers, Planex routers, modules IBM Integrated Management (IMM), SMC IPMI and more.
“Given the criticality of the vulnerability and the potential consequences of exploitation, Bitsight coordinated public disclosure efforts with the US Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) and affected organizations” , the firm said.
“Bitsight also collaborated with denial-of-service teams at major IT service management companies to assist with remediation. CISA conducted extensive outreach to potentially affected vendors.”
Learn more about SLP threats: Legacy VMware flaw exploited in global ransomware campaign
The top three countries running SLP-speaking instances are the US, the UK, and Japan. To protect against CVE-2023-29552, the researchers advised organizations to disable SLP on all systems running on untrusted networks, such as those directly connected to the Internet.
If they can’t do that, firewalls should be configured to filter traffic on UDP and TCP port 427 to prevent attackers from accessing SLP, he said.
Amplification attacks work by sending small requests to a server with a spoofed source IP address that matches the victim’s IP. The server responds to the victim’s IP with responses much larger than requests, overwhelming this system.
When combined with service logging, this type of attack can be even more serious, BitSight explained.
“The typical size of an SLP server’s response packet is between 48 and 350 bytes. Assuming a 29-byte request, the amplification factor, or the ratio of response sizes to the sol. legality, it’s about 1.6 to 12 times in this situation,” he said.
“However, SLP allows an unauthenticated user to register arbitrary new services, meaning an attacker can manipulate both the content and size of the server’s response, resulting in a maximum amplification factor of over 2200X due to the approximately 65,000 byte response given to the 29 byte request.”
Recent reports have surfaced of a new critical vulnerability in Simple Linux Performance (SLP), a network protocol used to manage network service parameters and settings. This vulnerability, if exploited, could allow nation-state actors or any malicious user with access to the network to launch massive distributed-denial-of-service (DDoS) attacks.
Organizations who use SLP should take prompt action to evaluate and update their existing networks as soon as possible. “The risk posed by this vulnerability is severe,” said Eric Johnson, CTO of Ikaroa, a full-stack tech company. “A successful attack could cause extensive harm to network infrastructure, operations and resources.”
When exploited, the SLP vulnerability can lead to an unprecedented number of DDoS attacks, as the malicious user gains control of the settings of the entire network. The user can then launch multiple service requests to one or more targeted networks, leading to significant network latency and strain on computing resources.
The consequences are potentially devastating for any organization. Not only could DDoS attacks cause costly downtime, they may also increase the risk of an attacker breaching the network and subsequently stealing sensitive information.
The good news is that there are ways to mitigate this vulnerability. Organizations should review and revise their networks, install advanced malware protection, and deploy systems to detect SLP traffic in order to protect their networks.
If your team is in need of assistance, Ikaroa’s team of security experts can provide the necessary support. We offer a comprehensive range of risk management services and advanced monitoring solutions to ensure your protection against cyber threats. We can also help develop security policies and procedures to reduce the likelihood of an attack.
Please contact us for more information about how we can help protect your network against malicious threats like the SLP vulnerability.