New SLP Bug Enables Massive 2,200x DDoS Amplification Attacks

April 25, 2023

A new vulnerability in the Service Location Protocol (SLP) allows threat actors to launch massive denial-of-service attacks with an amplification factor of 2,200 times. This flaw, known as CVE-2023-29552, was discovered by researchers at BitSight and Curesec, who report that over 2,000 organizations are using devices that expose approximately 54,000 exploitable SLP instances for use in DDoS amplification attacks. Among the vulnerable services are VMWare ESXi Hypervisors, Konica Minolta printers, IBM Integrated Management Modules, and Planex Routers deployed by organizations worldwide. The majority of vulnerable instances are located in the United States, Great Britain, Japan, Germany, Canada, France, Italy, Brazil, the Netherlands, and Spain, and are owned by several Fortune 1000 companies in industries such as technology, telecommunications, healthcare, insurance, finance, hospitality, and transportation.

The Service Location Protocol (SLP) is an old internet protocol developed in 1997 for use in local area networks (LAN), allowing easy connection and communication among devices using a system of service availability through UDP and TCP on port 427. While its intended use was never to be exposed on the public internet, organizations have exposed SLP on tens of thousands of devices over the years. "Service Location provides a dynamic configuration mechanism for applications in local area networks. It is not a global resolution system for the entire Internet; rather, it is intended to serve enterprise networks with shared services," reads the protocol's description.

According to BitSight, all these instances are vulnerable to CVE-2023-29552 (CVSS score: 8.6), which attackers can exploit to launch reflective DoS amplification attacks on targets. More specifically, the flaw allows unauthenticated attackers to register arbitrary services on the SLP server, manipulating the content and size of its reply to achieve a maximum amplification factor of 2,200x. These exposed servers could enable threat actors to conduct massive DDoS attacks on companies, government entities, and critical services, rendering them unreachable or no longer functioning as expected. Due to the critical nature of this flaw, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA) has conducted extensive outreach to inform potentially impacted vendors of the vulnerability.

DoS amplification attacks involve sending a request with the source IP address of the attack target to a vulnerable device, allowing the size of data to amplify within the abused service up to the maximum point, and then releasing the reply to the victim. Typically, the size of a reply packet from an SLP server is between 48 and 350 bytes, so without manipulation, the amplification factor can reach up to 12x. However, by exploiting CVE-2023-29552, it's possible to increase the server's UDP response size by registering new services until the response buffer is full. By doing this, attackers can achieve a maximum amplification factor of 2,200x, transforming a tiny 29-byte request into a massive 65,000-byte response directed at the target. "This extremely high amplification factor allows for an under-resourced threat actor to have a significant impact on a targeted network and/or server via a reflective DoS amplification attack," warns the BitSight report.

In a real attack scenario, a threat actor would leverage multiple SLP instances to launch such an attack, coordinating their responses and overwhelming their targets with massive traffic. To protect your organization's assets from potential abuse, SLP should be disabled on systems exposed to the Internet or untrusted networks. If this is not possible, it is recommended to configure a firewall that filters traffic on UDP and TCP port 427, which is the main entry for the malicious request that exploit SLP services. VMWare has also published a bulletin on the matter, clarifying that the issue only impacts older ESXi releases that are no longer supported and advising admins to avoid exposing them to untrusted networks.

Latest News

• PaperCut Flaw Exploited to Hijack Servers: Patch Urged
• Critical Vulnerability in Inea ICS Product Exposes Industrial Firms to Remote Attacks
• Cisco Patches Critical Vulnerabilities in Industrial Network Director and Modeling Labs Solutions
• VMware Addresses Critical Security Flaws in Logging Product
• PaperCut Alerts Users of Exploited Vulnerability in Print Management Systems