A high-risk vulnerability in the Service Location Protocol (SLP), an outdated Internet protocol, could lead to massive DoS amplification attacks with a maximum amplification factor of over 2200x, security researchers from cyber risk firm Bitsight and IT security company Curesec have warned.
First introduced in 1997, Service Location Protocol (SLP) is a Service Discovery Protocol (SDP) for automated service detection on local area networks (LANs). SLP was originally designed for small networks, but later it was expanded for large enterprise network functionality.
Tracked as CVE-2023-29552, the vulnerability allows a remote attacker to send small requests to a server with a spoofed source IP address that corresponds to the victim's IP address and perform reflective DoS amplification attack.
“Reflection coupled with service registration significantly amplifies the amount of traffic sent to the victim. The typical reply packet size from an SLP server is between 48 and 350 bytes. Assuming a 29 byte request, the amplification factor — or the ratio of reply to request magnitudes — is roughly between 1.6X and 12X in this situation. However, SLP allows an unauthenticated user to register arbitrary new services, meaning an attacker can manipulate both the content and the size of the server reply, resulting in a maximum amplification factor of over 2200X due to the roughly 65,000 byte response given a 29 byte request. This extremely high amplification factor allows for an under-resourced threat actor to have a significant impact on a targeted network and/or server via a reflective DoS amplification attack,” the researchers explained in the report.
Although SLP was not intended to be made available to the public Internet, the researchers discovered more than 54,000 SLP-instances online, including VMware ESXi Hypervisor, Konica Minolta printers, Planex routers, IBM Integrated Management Module (IMM), SMC IPMI, and others.
In its response to the vulnerability disclosure VMware said that currently supported versions of its ESXi product are not impacted. However, older versions that have reached end of general support such as 6.7 and 6.5 are affected by CVE-2023-29552.
The US Cybersecurity and Infrastructure Security Agency has also released an alert warning about the SLP flaw, and recommended that administrators disable or restrict network access to SLP servers.