New SLP Vulnerability Could Let Attackers Launch 2200x Powerful DDoS Attacks
Cyber Threat Summary:
Bitsight and Curesec researchers Pedro Umbelino and Marco Lux recently uncovered a high-severity vulnerability impacting Service Location Protocol, a service discovery protocol that allows devices to find services in a local area network such as printers, file servers, and other network resources. The vulnerability in question is being tracked as CVE-2023-29552 (CVSS score: 8.6) and could be exploited to launch large scale denial-of-service (DoS) amplification attacks with a factor of 2,200 times, making it one of the largest amplification attacks to date.
“Successful exploitation of CVE-2023-29552 could allow permit an attacker to take advantage of susceptible SLP instances to launch a reflection amplification attack and overwhelm a target server with bogus traffic. To do so, all an attacker needs to do is find an SLP server on UDP port 427 and register ‘services until SLP denies more entries,’ followed by repeatedly spoofing a request to that service with a victim's IP as the source address” (The Hacker News, 2023).
Analyst Comments:
More than 54,000 SLP instances including VMware ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), SMC IPMI, and others are currently accessible over the internet and susceptible to attacks. Furthermore, researchers identified over 2,000 organizations running these vulnerable instances, many of which are Fortune 1000 companies spanning the finance, insurance, technology, telecommunications, manufacturing, healthcare, hospitality, and transportation sectors.
According to Cloudflare, the web security company expects SLP-based DDoS attacks to rise significantly in the coming weeks as threat actors will test out the new amplification vector.
Corrections or Suggestions:
Many of the visible SLP instances seem to be older or likely abandoned systems. To defend against attacks exploiting CVE-2023-29552, organizations should ensure that SLP is disabled on all systems running on untrusted networks. If disabling SLP is not feasible, then researchers recommend configuring firewalls to filter traffic on UPD and TCP port 427 as this will prevent external attackers from accessing the SLP service.
“CVE-2023-29552 is a threat that can potentially impact business continuity and result in financial loss, even if an attacker has limited resources. Organizations must implement appropriate security measures to safeguard their networks and servers from being used in such attacks. One effective way to protect against SLP vulnerabilities is by implementing robust network security controls such as firewalls. It is equally important to enforce strong authentication and access controls, allowing only authorized users to access the correct network resources, with access being closely monitored and audited. Organizations should also have an incident response plan in place that clearly outlines procedures for mitigating SLP vulnerabilities, as well as procedures for communicating with users and stakeholders in case of an incident. Implementing strong security measures and access controls can reduce the risk of falling victim or unwillingly participating in these types of attacks, while incident response plans can mitigate the effects of such an attack” (Bitsight, 2023).
Link:
https://thehackernews.com/2023/04/new-slp-vulnerability-could-let.html
https://www.bitsight.com