The Cybersecurity and Infrastructure Security Agency (CISA) posted an alert warning network defenders that exploiting the Service Location Protocol (SLP, RFC 2608) allows an unauthenticated remote attacker to register arbitrary services. This could allow an attacker to use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor.
According to CISA, researchers from Bitsight and Curesec have discovered a way to abuse SLP—identified as CVE-2023-29552—to conduct high amplification factor DoS attacks using spoofed source addresses. Many SLP services visible on the internet appear to be older and likely abandoned systems. Organizations should consider disabling or restricting network access to SLP servers. Some organizations such as VMware have evaluated CVE-2023-29552 and have provided a response, see VMware Response to CVE-2023-29552 – reflective Denial-of-Service (DoS) amplification vulnerability in SLP for more information.
CISA urges network defenders to review Bitsight’s blog post for more details and see CISA’s article on Understanding and Responding to Distributed Denial-of-Service Attacks for guidance on reducing the likelihood and impact of DoS attacks. Read more at CISA.