CISA Reports Exploitation of SLP Vulnerability Permitting Amplified DoS Attacks in the Wild

CISA Alerts to Active Exploitation of SLP Vulnerability in DoS Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding active exploitation of a critical vulnerability in the Service Location Protocol (SLP). Identified as CVE-2023-29552 and rated 8.6 on the CVSS scale, this vulnerability was first reported in April, highlighting that it could be weaponized by unauthenticated, remote attackers to orchestrate denial-of-service (DoS) attacks with a potentially massive amplification factor of up to 2,000 times.

SLP, a protocol designed for discovering network services locally, has been found to be inadvertently exposed on public networks in about 34,000 systems, as per findings by Bitsight and Curesec. Researchers speculate many of these systems are outdated and neglected, posing significant security risks.

Vendors like VMware and NetApp have acknowledged the vulnerability's impact, recommending that network administrators either disable SLP on systems or ensure they are not exposed to the internet. To mitigate the risk, it's advised to implement firewall rules that block traffic on UDP and TCP port 427, which is used by SLP, to thwart potential exploitation attempts.

Proof-of-concept (PoC) code for leveraging CVE-2023-29552 in DoS amplification attacks has been circulating since its initial disclosure. However, CISA's alert marks the first instance of reported in-the-wild exploitation.

In response to this threat, CISA has placed CVE-2023-29552 on its Known Exploited Vulnerabilities Catalog. Following Binding Operational Directive (BOD) 22-01, federal entities are mandated to identify and secure affected systems within a 21-day window, emphasizing the urgency of addressing this security lapse.