New high-severity vulnerability (CVE-2023-29552) discovered in the Service Location Protocol (SLP)

-

 


What is the Service Location Protocol (SLP)?

SLP is a protocol that was created in 1997 through RFC 2165 to provide a dynamic configuration mechanism for applications in local area networks. SLP allows systems on a network to find each other and communicate with each other. It does this by using a directory of available services, which can include things like printers, file servers, and other network resources. SLP works by having a system register itself with a directory agent, which then makes that system's services available to other systems on the network. Daemons providing SLP are bound to the default port 427, both UDP and TCP. SLP was not intended to be made available to the public Internet. According to RFC 2165, "Service Location provides a dynamic configuration mechanism for applications in local area networks. It is not a global resolution system for the entire Internet; rather, it is intended to serve enterprise networks with shared services." However, the protocol has been found in a variety of instances connected to the Internet. A recent internet-wide scan revealed more than 54,000 SLP-speaking instances online, belonging to organizations across many sectors and geographies.

What vulnerability was discovered?

Researchers from Bitsight and Curesec jointly discovered CVE-2023-29552 (CVSS 8.6). If exploited, CVE-2023-29552 allows an attacker to leverage vulnerable instances to launch a DoS attack — sending massive amounts of traffic to a victim — via a reflective amplification attack.

DoS attacks have made headlines in recent years, causing significant financial, reputational, and operational harm. With attacks predicted to double from 2018 to the end of 2023, organizations continue to fall victim to service disruptions. In fact, small to medium-sized businesses (SMBs) spend an average of $120,000 as a result of a DoS attack, while larger organizations may face larger financial losses due to relatively higher costs of disruption. Large, multinational enterprises are not immune to these attacks – Amazon Web Services (AWS), GitHub, and even nation states have fallen victim to DoS attacks.

How does a typical reflective DoS amplification attack work?

In a typical reflective DoS amplification attack, the attacker usually sends small requests to a server with a spoofed source IP address that corresponds to the victim's IP address. The server then replies to the victim's IP address, sending much larger responses than the requests, generating large amounts of traffic to the victim’s system. The attacker is simply tricking systems on the Internet — not necessarily owned by the target — to send mass amounts of traffic to the target.

What does a reflective DoS amplification attack leveraging CVE-2023-29552 look like?

Reflection coupled with service registration significantly amplifies the amount of traffic sent to the victim. The typical reply packet size from an SLP server is between 48 and 350 bytes. Assuming a 29 byte request, the amplification factor — or the ratio of reply to request magnitudes — is roughly between 1.6X and 12X in this situation. However, SLP allows an unauthenticated user to register arbitrary new services, meaning an attacker can manipulate both the content and the size of the server reply, resulting in a maximum amplification factor of over 2200X due to the roughly 65,000 byte response given a 29 byte request. This extremely high amplification factor allows for an under-resourced threat actor to have a significant impact on a targeted network and/or server via a reflective DoS amplification attack.

How to protect against CVE-2023-29552

To protect against CVE-2023-29552, SLP should be disabled on all systems running on untrusted networks, like those directly connected to the Internet. If that is not possible, then firewalls should be configured to filter traffic on UDP and TCP port 427. This will prevent external attackers from accessing the SLP service.

Take action now

CVE-2023-29552 is a threat that can potentially impact business continuity and result in financial loss, even if an attacker has limited resources. Organizations must implement appropriate security measures to safeguard their networks and servers from being used in such attacks. One effective way to protect against SLP vulnerabilities is by implementing robust network security controls such as firewalls.

It is equally important to enforce strong authentication and access controls, allowing only authorized users to access the correct network resources, with access being closely monitored and audited. Organizations should also have an incident response plan in place that clearly outlines procedures for mitigating SLP vulnerabilities, as well as procedures for communicating with users and stakeholders in case of an incident.

Implementing strong security measures and access controls can reduce the risk of falling victim or unwillingly participating in these types of attacks, while incident response plans can mitigate the effects of such an attack.

 

E.R

Comments

Post a Comment

Popular posts from this blog

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those are
Read more

The Imperva Content Delivery Network (CDN) to Improve website experience globally

-
Image
Today’s website visitors expect a fast and efficient user experience with no delays or site performance issues. However, high traffic volumes and global reaching websites mean website managers are faced with the challenge of added latency and slow page load times, which can result in lost business. According to WebSiteBuilderExpert.com, 1 in 4 site visitors would abandon a website that takes more than 4 seconds to load. And 46% of site visitors do not revisit poorly performing websites, according to Unbounce.com. A strong Content Delivery Network   (CDN) is critical for website managers and businesses that rely on their websites for success, and here are ten reasons why. Improve your engagement Faster site speed times and more responsive websites bring results in more conversions. As little as a  one-second delay  in page load time can reduce customer satisfaction by 16%. Slow page load times According to  Unbounce , ‘Nearly 70% of consumers admit that page speed influences their likel
Read more

SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes

-
Image
On Feb. 13, 2024, Microsoft issued a  patch  for CVE-2024-21412, a  Microsoft Defender SmartScreen  vulnerability revolving around internet shortcuts. Previously, we discovered that an advanced persistent threat (APT) group we track under the name Water Hydra has been exploiting CVE-2024-21412 in a sophisticated campaign targeting financial market traders, allowing the group to bypass Microsoft Defender SmartScreen and infect its victims with the DarkMe remote access trojan (RAT). Threat actors are constantly finding new ways of identifying and exploiting gaps to bypass security measures. We found that the bypass of CVE-2023-36025 (a previously patched SmartScreen vulnerability) led to the discovery and exploitation of CVE-2024-21412. This highlights how threat actors can circumvent patches by identifying new vectors of attack around a patched software component. It is important that organizations are able to identify and mitigate vulnerabilities, especially zero-days, in a timely mann
Read more