A high-severity vulnerability in the internet’s legacy Service Location Protocol (SLP) could let attackers spoof User Datagram Protocol (UDP) traffic to conduct significantly amplified denial-of-service (DoS) attacks.
In joint research posted April 25 by Bitsight and Curesec, the researchers said exploiting the vulnerability — CVE-2023-29552 — could launch amplification attacks with a factor of 2,200 times — potentially making it one of the largest amplification attacks on record.
The researchers said in a typical reflective DoS amplification attack, the attacker usually sends small requests to a server with a spoofed source IP address that corresponds to the victim's IP address. The server then replies to the victim's IP address, sending much larger responses than the requests, generating large amounts of traffic to the victim’s system.
“The attacker is simply tricking systems on the internet — not necessarily owned by the target — to send mass amounts of traffic to the target,” the researchers said.
The SLP protocol was created in 1997 through RFC 2165 to offer a dynamic configuration mechanism for applications in local area networks. SLP lets systems on a network find and communicate with each other. SLP was not intended to be made available to the public internet, however, the protocol has been found in a variety of instances connected to the internet.
In February, the researchers identified more than 2,000 global organizations and some 54,000 SLP instances on the public internet. These included takeovers of the following products: the VMware ESXi Hypervisor, Konica Minolta printers, Planex Routers, and the IBM Integrated Management Module (IMM). Attackers could potentially leverage access to launch DoS attacks around the world.
Given the criticality of the vulnerability and the potential consequences resulting from exploitation, Bitsight coordinated public disclosure efforts with the Cybersecurity and Infrastructure Security Agency (CISA), which released an advisory April 25.
Reflective DoS/DDoS attacks have been around for years and do cause disruption, explained Timothy Morris, chief security advisor at Tanium. What’s more, Morris said attackers can use them as decoys to conduct other nefarious activities. The SLP was only intended for local area networks (LANs) to advertise resources that are registered for the local network, and not for untrusted networks such as the internet. However, researchers and attackers find vulnerabilities in protocols and applications beyond the bounds of their original intentions, as is the case this time, said Morris.
Morris recommended disabling untrusted networks such as the internet from SLP, filter TCP and UPD 427 on firewalls where SLP must run, and update/patch systems that run vulnerable versions of SLP. He also said organizations should create an accurate inventory of hardware and software, as well as deploying network monitoring.
“Defending against this one is pretty straightforward,” said Morris.
Cybersecurity has long been a “pay to play” scenario, said Dray Agha, senior ThreatOps analyst team lead at Huntress. Agha said while larger corporations with healthier budgets can dodge the worst impacts of attacks like DDoS with dedicated security personnel and tools to block offending IP addresses or adaptively routing traffic on demand at scale, Huntress has found that smaller businesses simply lack a generous budget to meet a myriad of threats.
“DDoS attacks can cripple a business, undermining the ability for the organization to make money, as well as having a reputational impact,” said Agha. “For smaller organizations wondering how they can best protect themselves, we’d advise them to consider conducting an asset inventory: you can’t protect what you don’t know exists. Then, prioritize patching and review their external network perimeter and reduce the attack surface there, where possible.”