Abuse of the Service Location Protocol May Lead to DoS Attacks
The Service Location Protocol (SLP, RFC 2608) allows an unauthenticated remote attacker to register arbitrary services. This could allow an attacker to use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor.
Researchers from Bitsight and Curesec have discovered a way to abuse SLP—identified as CVE-2023-29552—to conduct high amplification factor DoS attacks using spoofed source addresses.
As noted by Bitsight, many SLP services visible on the internet appear to be older and likely abandoned systems. Administrators should consider disabling or restricting network access to SLP servers. Some organizations such as VMware have evaluated CVE-2023-29552 and have provided a response, see VMware Response to CVE-2023-29552 – reflective Denial-of-Service (DoS) amplification vulnerability in SLP for more information.
CISA urges organizations to review Bitsight’s blog post for more details and see CISA’s article on Understanding and Responding to Distributed Denial-of-Service Attacks for guidance on reducing the likelihood and impact of DoS attacks.