The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a high-severity vulnerability in the Service Location Protocol (SLP), known as CVE-2023-29552 [2] [3] [4] [5]. This flaw has been added to CISA’s list of recognized exploited vulnerabilities.
Description
The vulnerability in the Service Location Protocol (SLP) allows unauthenticated, remote attackers to register services and use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor [3] [4] [5]. While the exact details of the exploitation are unknown [3] [4] [5], it is important to note that this flaw can be exploited to stage a DoS attack with a high amplification factor. Thousands of organizations currently using SLP are vulnerable to these attacks. Vendors like VMware and NetApp have acknowledged the vulnerability and advised administrators to disable the SLP protocol or ensure that their instances are not accessible via the internet [2]. Firewall rules should also be set to filter traffic on UDP and TCP port 427 to prevent exploitation. Netography has released a new Netography Detection Model (NDM) called “slpreflection” that can detect floods of traffic originating from the SLP port [1]. Their Network Defense Platform (NDP) is effective in detecting this type of attack. It is recommended that organizations take preventive measures such as disabling SLP on internet-facing systems, blocking traffic sourced to or from UDP port 427 [1], and ensuring they are using the latest versions of products that utilize SLP [1]. CISA urges administrators to apply available mitigations and has included CVE-2023-29552 in its Known Exploited Vulnerabilities catalog. Federal agencies have until November 29, 2023, to implement necessary mitigations [4] [5], including disabling the SLP service on systems running on untrusted networks [3] [4] [5], in order to protect their networks from potential threats [5].
Conclusion
This vulnerability in the Service Location Protocol (SLP) poses a significant risk to organizations currently using SLP. It is crucial for administrators to take immediate action by disabling SLP on internet-facing systems, blocking traffic on UDP and TCP port 427 [2], and ensuring they are using the latest versions of products that utilize SLP [1]. By implementing these preventive measures, organizations can protect their networks from potential threats [5]. Federal agencies have a deadline of November 29, 2023, to implement necessary mitigations [4] [5], including disabling the SLP service on systems running on untrusted networks [3] [4] [5]. It is important to prioritize network security and stay vigilant against future vulnerabilities.
References
[1] https://securityboulevard.com/2023/11/netography-releases-detection-for-actively-exploited-dos-amplification-cve-2023-29552/
[2] https://vulnera.com/newswire/cisa-alerts-on-active-exploitation-of-slp-vulnerability-enabling-high-impact-dos-attacks/
[3] https://patabook.com/technology/2023/11/09/cisa-alerts-high-severity-slp-vulnerability-now-under-active-exploitation/
[4] https://thehackernews.com/2023/11/cisa-alerts-high-severity-slp.html
[5] https://alinaa-cybersecurity.com/high-severity-slp-vulnerability-now-under-active-exploitation/