Critical SLP Vulnerability Exposes Thousands of Organizations to Potentially Devastating DDoS Amplif
A newly discovered critical security vulnerability in the Service Location Protocol (SLP) could enable attackers to execute highly potent distributed denial-of-service (DDoS) attacks. The vulnerability, designated as CVE-2023-29552, has a severity rating of 8.6 and affects over 2,000 organizations worldwide, with more than 54,000 vulnerable SLP instances exposed on the internet.
Researchers Pedro Umbelino and Marco Lux from Bitsight and Curesec have revealed that attackers could exploit this vulnerability to launch DDoS amplification attacks with an amplification factor of up to 2200 times. This could potentially result in one of the largest amplification attacks ever recorded.
SLP is a protocol used for discovering services on local area networks, such as printers and file servers. The vulnerability impacts a wide range of products, including VMWare ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), SMC IPMI, and 665 other product types. The countries with the highest number of vulnerable organizations include the U.S., the U.K., Japan, Germany, Canada, France, Italy, Brazil, the Netherlands, and Spain.
Exploiting CVE-2023-29552 allows attackers to use vulnerable SLP instances to launch reflection amplification attacks, inundating target servers with fake traffic. To execute the attack, an attacker needs to locate an SLP server on UDP port 427, register services until the server denies further entries, and then repeatedly send spoofed requests to the service using the victim's IP as the source address. This can lead to large-scale denial-of-service attacks.
To protect against this threat, users are advised to disable SLP on systems connected to the internet or filter traffic on UDP and TCP port 427. Strong authentication and access controls should also be implemented to restrict access to network resources. Cloudflare, a web security company, has issued an advisory warning that SLP-based DDoS attacks are likely to increase significantly in the coming weeks as threat actors explore this new DDoS amplification vector.
This discovery follows the exploitation of a previously patched vulnerability in VMware's SLP implementation by ransomware actors associated with ESXiArgs in widespread attacks earlier this year.
Contact BVTech.org today at (210) 538-3669 to ensure your networks are protected from these types of vulnerabilities.
