June 7, 2023
A recent discovery of a critical vulnerability in a legacy Internet protocol, utilized by various enterprise products, has been identified as a potential enabler for attackers to significantly amplify denial-of-service (DoS) attacks by an amplification factor of up to 2,200 times, making it one of the largest amplification attacks ever documented.
Assigned the identifier CVE-2023-29552, this vulnerability is present within the Service Location Protocol (SLP), an increasingly obsolete network-discovery protocol that continues to be employed by select routers, virtual machines, printers, and other technologies.
Attributed to researchers Pedro Umbelino from Bitsight and Marco Lux from Curesec, the discovery of this vulnerability presents an opportunity for attackers to exploit and launch potent reflective amplification attacks, as detailed in a blog post by Bitsight, published on 25 April 2023.
The potential consequences of CVE-2023-29552 could adversely affect business continuity and result in financial losses, even in instances where the attacker possesses limited resources.
The threat posed by a reflective amplification DDoS attack leveraging the CVE-2023-29552 vulnerability cannot be overstated. This type of attack combines reflection with service registration to significantly amplify the volume of traffic directed at the victim.
Given the typical reply packet size from an SLP server is between 48 and 350 bytes; assuming a 29-byte request was used, the amplification factor would roughly equate to between 1.6X and 12X. However, since SLP does not require authentication, an unauthenticated user can register arbitrary new services, allowing an attacker to manipulate both the content and size of the server reply, resulting in a maximum amplification factor of more than 2,200 times.
In sum, the implications of such a high amplification factor are significant, allowing even under-resourced threat actors to have a substantial impact on a targeted network or server via a reflective DoS amplification attack.
For organizations that may be employing technology that supports SLP and can be accessed from the internet, it is vital to take immediate action to mitigate the risk of attackers exploiting this critical flaw. While updating any affected product to a modern version that doesn't use SLP is the most effective solution, it may not always be feasible.
In such cases, disabling SLP on all systems running on untrusted networks is recommended, such as those directly connected to the internet. If disabling SLP is not possible, then configuring firewalls to filter traffic on UDP and TCP port 427 can prevent external attackers from accessing the SLP service.
It is also equally critical to enforce strong authentication and access controls, so as to allow only authorized users to access the correct network resources, with access being closely monitored and audited.
Nexusguard’s NetShield has been enhanced with a signature for SLP reflection attacks, which can effectively detect inbound traffic targeting the destination port 427. This signature is included in both Normal and Rapid modes and grouped under UDP attack signatures.
To prevent any attempt to abuse the SLP vulnerability, a FlexFilter rule has also been implemented to drop TCP and UDP traffic with a destination port of 427. This measure helps prevent unauthorized access and mitigates the risk of potential SLP attacks, providing additional security for your organization's network infrastructure.
Moreover, customers of Nexusguard who might be concerned about their exposure to this vulnerability are advised to proactively review their network security policies and reach out to the Nexusguard Service team for assistance. Our team can provide expert guidance on the best course of action, including applying available security patches, disabling unnecessary SLP services, and implementing appropriate access controls to allow only trusted devices.
If you suspect that you’ve been impacted by this vulnerability, it’s crucial to seek specialist assistance immediately given its severity.
Nexusguard's Origin Protection offers you comprehensive and highly effective protection against all forms of L3-L4 and L7 attacks, including potential zero-day attacks. Our solution is designed to be easy to implement, enabling organizations to quickly and efficiently secure their applications and networks against a wide range of cyber threats. With Nexusguard's Origin Protection, customers can have peace of mind knowing that their applications and networks are well-protected against even the most sophisticated attacks.
For further information, please read about Nexusguard’s Origin Protection or reach out to us via our Emergency Contact Form.
