TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
Summary: Researchers from Bitsight and Curesec (weblink below) have discovered a way to abuse SLP, identified as CVE-2023-29552, to conduct high amplification factor DoS attacks using spoofed source addresses. The Service Location Protocol (SLP, RFC 2608) allows an unauthenticated remote attacker to register arbitrary services. This could allow an attacker to use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor.
As noted by Bitsight, many SLP services visible on the internet appear to be older and likely abandoned systems. Administrators should consider disabling or restricting network access to SLP servers. Some organizations such as VMware have evaluated CVE-2023-29552 and have provided a response, see VMware Response to CVE-2023-29552 – reflective Denial-of-Service (DoS) amplification vulnerability in SLP for more information (weblink below).
CISA urges organizations to review Bitsight’s blog post for more details and see CISA’s article on Understanding and Responding to Distributed Denial-of-Service Attacks for guidance on reducing the likelihood and impact of DoS attacks.
Bitsight Blog: hxxps://www.bitsight[.]com/blog/new-high-severity-vulnerability-cve-2023-29552-discovered-service-location-protocol-slp
VMWare Security Blog: hxxps://blogs.vmware[.]com/security/2023/04/vmware-response-to-cve-2023-29552-reflective-denial-of-service-dos-amplification-vulnerability-in-slp.html
CISA Article: hxxps://www.cisa[.]gov/sites/default/files/publications/understanding-and-responding-to-ddos-attacks_508c.pdf
NYSIC CAU Analyst Note: Service Location Protocol is an outdated internet protocol for applications in local area networks, which allows network systems to communicate with each other. According to researchers, the protocol was never intended to be used for the “public” internet, but nonetheless they found 54,000 instances of SLP connections to the internet. The vulnerability potentially allows attackers to conduct what are known as reflective DoS amplification attacks, in which the threat actor sends requests to a server using a spoofed IP address that corresponds to the victim’s IP address.
In amplification attacks using the new vulnerability, referred to as CVE-2023-29552, an attacker can manipulate both the content and the size of the server reply, resulting in a maximum amplification factor of over 2200X. That amplification factor makes it hypothetically one of the largest amplification attacks ever reported. By comparison, the average amplification factor of a DNS protocol attack is between 28X and 54X, according to CISA. Among potentially affected products were VMware ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module and Supermicro IPMI.
This information has been disseminated to:
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – Cyber Partners Working Group (CPWG)
NYSIC CAU Contacts – Critical Infrastructure: All
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – County Information Contacts
For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/