The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of a Service Location Protocol (SLP) vulnerability by threat actors. This vulnerability, identified as CVE-2023-29552, permits denial-of-service (DoS) attacks with a high amplification factor.
Originally disclosed in April, the flaw was brought to light by security researchers at Bitsight and Curesec. They warned that the vulnerability allows unauthenticated, remote attackers to register arbitrary services and use spoofed UDP traffic to significantly increase the severity of DoS attacks.
The researchers cautioned that the security flaw enables attackers to merge typical reflective DoS amplification with service registration, leading to an amplification factor that could reach 2,000.
Bitsight and Curesec also pointed out that thousands of organizations were using SLP, a legacy internet protocol designed for local network discovery but not intended for exposure to the public web. They identified roughly 34,000 systems susceptible to exploitation via SLP, many of which are likely outdated systems, leaving their owners vulnerable to attacks.
Several vendors, including VMware and NetApp, have acknowledged the impact of this bug. They have urged administrators to either disable the SLP protocol or ensure that their instances are not accessible via the internet.
Administrators are also advised to set firewall rules to filter traffic on UDP and TCP port 427 to prevent exploitation.
Since April, proof-of-concept (PoC) code targeting CVE-2023-29552 for DoS amplification has been available. However, CISA's warning seems to be the first report of the flaw being actively exploited.
The agency added CVE-2023-29552 to its Known Exploited Vulnerabilities Catalog on Wednesday, urging administrators to apply the available mitigations. According to Binding Operational Directive (BOD) 22-01, federal agencies have 21 days to identify vulnerable systems within their environments and take necessary measures to secure them.