Details about one have emerged vulnerability of high-severity security affecting the Service Location Protocol (SLP extension) and could be used to launch volumetric denial-of-service attacks against targets.
New SLP vulnerability, what it consists of
“The attackers [hacker] exploiting this vulnerability could exploit vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor of up to 2200 times, potentially making it one of the largest amplification attacks ever reported“, they have declared Bitsight and Curesec researchers, Pedro Umbelino and Marco Lux, in a report.
The SLP vulnerability, which has been assigned the identifier CVE-2023-29552 (CVSS score: 8.6), affects over 2,000 global organizations and over 54,000 Internet-accessible SLP instances.
This includes VMWare ESXi Hypervisor, Konica Minolta printers, Planex routers, IBM Integrated Management Module (IMM), SMC IPMI and 665 other product types.
The top 10 countries with the most organizations having vulnerable SLP instances are the United States, United Kingdom, Japan, Germany, Canada, France, Italy, Brazil, Netherlands, and Spain.
SLP is a service discovery protocol that allows computers and other devices to find services in a local area network, such as printers, file servers, and other network resources, the SLP vulnerability basically targets these services for the easy ride.
A successful exploit of CVE-2023-29552 could allow an attacker to exploit susceptible SLP instances to launch a reflection amplification and overwhelm a target server with fake traffic.
To do this, all the attacker needs to do is find an SLP server on UDP port 427 and log “services until SLP denies further entries”, followed by spoof requests repeated to that service with the victim’s IP as the source address.
An attack of this type can produce an amplification factor of up to 2,200, resulting in large-scale DoS attacks; To avoid this type of threat, users are advised to disable SLP on systems directly connected to the Internet or, alternatively, filter traffic on UDP and TCP port 427.
“It is equally important to enforce strong authentication and access controls, allowing only authorized users access to the correct network resources, with access being closely monitored and audited“, stated the researchers.
Web security firm Cloudflare, in a note, has declared Of “expect a significant increase in the prevalence of SLP-based DDoS attacks in the coming weeksas threat actors experiment with the new DDoS amplification vector.
These findings emerge after a two-year-old vulnerability in VMware’s SLP implementation was exploited by actors associated with ESXiArgs ransomware in widespread attacks earlier this year.
Concluding
In conclusion, the discovery of this high-level vulnerability in the SLP protocol once again highlights the need to strengthen IT security measures and protect corporate networks from possible cyber attacks, as in this case deriving from vulnerabilities (in this case SLP vulnerability ).
The main recommendation of the experts is to disable SLP on systems directly connected to the internet and to apply strict authentication and access controls to prevent any security breaches.
The expected increase in SLP-based DDoS attacks makes the need for these security measures to protect corporate networks and ensure business continuity even more urgent.
#Vulnerability #SLP #stronger #DDoS #attacks