SLP Protocol Vulnerability

The Service Location Protocol (SLP) has been found to have a new reflective Denial-of-Service (DoS) amplification vulnerability. 

Threat actors can exploit this vulnerability to execute extensive DDoS attacks with a staggering amplification of 2,200X.

Researchers at BitSight and Curesec have tracked the vulnerability as “CVE-2023-29552,” which has exposed around 54,000 exploitable instances of the SLP used by over 2,000 organizations.

Threat actors can leverage these instances for conducting DDoS amplification attacks. Organizations worldwide have unknowingly deployed vulnerable devices, and here they are mentioned below:-

Vulnerable SLP Instances

Here below, we have mentioned all the countries with the most vulnerable instances:-

  • The United States
  • Great Britain
  • Japan
  • Germany
  • Canada
  • France
  • Italy
  • Brazil
  • The Netherlands
  • Spain

Here the most exciting thing is that there are several Fortune 1000 companies or organizations using these vulnerable instances in the following sectors:-

  • Technology
  • Telecommunications
  • Healthcare
  • Insurance
  • Finance
  • Hospitality
  • Transportation

Technical Analysis

SLP mainly facilitates the communication and connection between devices on LAN, an old internet protocol introduced in 1997.

While it does so through a service availability system that operates on port 427 using UDP and TCP, organizations have exposed SLP on tens of thousands of devices never designed to be exposed on the public internet over the years. Report says.

With a CVSS score of 8.6, CVE-2023-29552 is a vulnerability that affects all exploitable instances.

Threat actors can exploit all these vulnerable instances to conduct reflective DoS amplification attacks against targeted entities.

On the successful exploitation of the vulnerability, unauthenticated attackers can manipulate the SLP server by registering arbitrary services.

This enables them to modify the content and size of the server’s response and achieve a massive DoS amplification attack.

Moreover, CISA has reached out to notify vulnerable vendors about the severity of the flaw. DoS attacks cost SMBs an average of $120,000, and larger businesses face even more significant financial losses due to higher disruption expenses.

Typical and Reflective DoS Amplification Attack

Here below, we have mentioned the key steps that involve in a Typical reflective DoS amplification attack:-

  • Step 1: The attacker finds an SLP server on UDP port 427.
  • Step 2: The attacker spoofs a request to that service with the victim’s IP as the origin.
  • Step 3: The attacker repeats step two as long as the attack is ongoing.

Here below, we have mentioned the steps that involve in a Reflective DoS amplification attack leveraging CVE-2023-29552:-

  • Step 1: The attacker finds an SLP server on UDP port 427.
  • Step 2: The attacker registers services until SLP denies more entries.
  • Step 3: The attacker spoofs a request to that service with the victim’s IP as the origin.
  • Step 4: The attacker repeats step three as long as the attack is ongoing.

Threat actors could use multiple SLP instances to coordinate an actual attack; to do so; they could flood their targets with huge traffic.

Recommendation

The following recommendations should be followed to protect the assets of your organization from potential exploitation:-

  • On the systems that are exposed, make sure to disable the SLP.
  • Ensure to properly configure a firewall, as it will filter the traffic on UDP and TCP port 427.
  • Organizations must have an incident response plan in place.
  • Ensure that all the robust security measures and access controls are implemented.

Building Your Malware Defense Strategy – Download Free E-Book

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.