The US CISA has issued a warning regarding the active exploitation of a Service Location Protocol (SLP) vulnerability by threat actors. This vulnerability, identified as CVE-2023-29552, permits DoS attacks with a high amplification factor.
The flaw was brought to light by security researchers at Bitsight and Curesec during April 2023. They warned that the vulnerability allows unauthenticated, remote attackers to register arbitrary services and use spoofed UDP traffic to significantly increase the severity of DoS attacks.
The researchers cautioned that the security flaw enables attackers to merge typical reflective DoS amplification with service registration, leading to an amplification factor that could reach 2,000.
Bitsight and Curesec also pointed out that thousands of organizations were using SLP, a legacy internet protocol designed for local network discovery but not intended for exposure to the public web. They identified roughly 34,000 systems susceptible to exploitation via SLP, many of which are likely outdated systems, leaving their owners vulnerable to attacks.
Several vendors, including VMware and NetApp, have acknowledged the impact of this bug. They have urged administrators to either disable the SLP protocol or ensure that their instances are not accessible via the internet.
Administrators are also advised to set firewall rules to filter traffic on UDP and TCP port 427 to prevent exploitation.
Since April, PoC code targeting CVE-2023-29552 for DoS amplification has been available. The agency added CVE-2023-29552 to its Known Exploited Vulnerabilities Catalog on Wednesday, urging administrators to apply the available mitigations.