New high-severity vulnerability discovered in the Service Location Protocol

Home / Threat Intelligence bulletins / New high-severity vulnerability discovered in the Service Location Protocol

Target Industry

Targeting is indiscriminate and opportunistic. The nations with the most vulnerable locations are those in the United States, United Kingdom, Japan, Germany, Canada, France, Italy, Brazil, the Netherlands, and Spain. These locations are held by multiple Fortune 1000 firms in the fields of technology, insurance, finance, hospitality and transportation, among others.

Overview

Any arbitrary service can be registered by a remote, unauthenticated attacker using the Service Location Protocol (SLP; RFC 2608). As a result, the attacker may be able to launch a denial-of-service attack with a large amplifying factor using spoof UDP packets.

Amplification factors of up to 2,200x are possible by changing the content and size of the rely thanks to the bug, which enables unauthenticated attackers to register arbitrary services on the SLP server. Researchers at BitSight and Curesec identified the vulnerability as CVE-2023-29552, and they claim that around 2,000 companies are utilising equipment that exposes about 54,000 exploitable SLP instances that can be used in distributed denial-of-service (DDoS) amplification attacks.

Impact

Over 2,000 organisations were identified as having vulnerable instances. Attackers could potentially leverage these vulnerable instances to launch a DoS attack targeting the system owners and/or other organisations. Many Fortune 1000 organisations were identified as having vulnerable instances.

Affected Products

Products including the IBM Integrated Management Module (IMM), SMC IPMI, Konica Minolta printers, Planex routers, VMware ESXi Hypervisor, and 665 other product types are among those that are impacted.

Containment, Mitigations & Remediations

To protect against CVE-2023-29552, SLP should be disabled on all systems running on untrusted networks, like those directly connected to the internet. If that is not possible, then firewalls should be configured to filter traffic on UDP and TCP port 427. This will prevent external attackers from accessing the SLP service.

SLP should be deactivated on all systems operating on untrusted networks, such as those directly connected to the internet, to protect against CVE-2023-29552. Firewalls should be set up to filter traffic on UDP and TCP port 427. By doing this, external attackers will not be able to access the SLP service.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Group

No threat groups have currently been reported to exploit CVE-2023-29552.

Mitre Methodologies

T1498 – Network Denial of Service

Further Information

New high-severity vulnerability (CVE-2023-29552) discovered in the Service Location Protocol (SLP) | Bitsight

 VMware Response to CVE-2023-29552 – Reflective Denial-of-Service (DoS) Amplification Vulnerability in SLP – VMware Security Blog – VMware

Abuse of the Service Location Protocol May Lead to DoS Attacks | CISA (Cyber Security and Infrastructure Security Agency)

Intelligence Terminology Yardstick