New high-severity vulnerability (CVE-2023-29552) discovered in the Service Location Protocol (SLP)
What is the Service Location Protocol (SLP)?
SLP is a protocol that was created in 1997 through RFC 2165 to provide a dynamic configuration mechanism for applications in local area networks. SLP allows systems on a network to find each other and communicate with each other. It does this by using a directory of available services, which can include things like printers, file servers, and other network resources. SLP works by having a system register itself with a directory agent, which then makes that system's services available to other systems on the network. Daemons providing SLP are bound to the default port 427, both UDP and TCP. SLP was not intended to be made available to the public Internet. According to RFC 2165, "Service Location provides a dynamic configuration mechanism for applications in local area networks. It is not a global resolution system for the entire Internet; rather, it is intended to serve enterprise networks with shared services." However, the protocol has been found in a variety of instances connected to the Internet. A recent internet-wide scan revealed more than 54,000 SLP-speaking instances online, belonging to organizations across many sectors and geographies.
What vulnerability was discovered?
Researchers from Bitsight and Curesec jointly discovered CVE-2023-29552 (CVSS 8.6). If exploited, CVE-2023-29552 allows an attacker to leverage vulnerable instances to launch a DoS attack — sending massive amounts of traffic to a victim — via a reflective amplification attack.
DoS attacks have made headlines in recent years, causing significant financial, reputational, and operational harm. With attacks predicted to double from 2018 to the end of 2023, organizations continue to fall victim to service disruptions. In fact, small to medium-sized businesses (SMBs) spend an average of $120,000 as a result of a DoS attack, while larger organizations may face larger financial losses due to relatively higher costs of disruption. Large, multinational enterprises are not immune to these attacks – Amazon Web Services (AWS), GitHub, and even nation states have fallen victim to DoS attacks.
How does a typical reflective DoS amplification attack work?
In a typical reflective DoS amplification attack, the attacker usually sends small requests to a server with a spoofed source IP address that corresponds to the victim's IP address. The server then replies to the victim's IP address, sending much larger responses than the requests, generating large amounts of traffic to the victim’s system. The attacker is simply tricking systems on the Internet — not necessarily owned by the target — to send mass amounts of traffic to the target.
What does a reflective DoS amplification attack leveraging CVE-2023-29552 look like?
Reflection coupled with service registration significantly amplifies the amount of traffic sent to the victim. The typical reply packet size from an SLP server is between 48 and 350 bytes. Assuming a 29 byte request, the amplification factor — or the ratio of reply to request magnitudes — is roughly between 1.6X and 12X in this situation. However, SLP allows an unauthenticated user to register arbitrary new services, meaning an attacker can manipulate both the content and the size of the server reply, resulting in a maximum amplification factor of over 2200X due to the roughly 65,000 byte response given a 29 byte request. This extremely high amplification factor allows for an under-resourced threat actor to have a significant impact on a targeted network and/or server via a reflective DoS amplification attack.
How to protect against CVE-2023-29552
To protect against CVE-2023-29552, SLP should be disabled on all systems running on untrusted networks, like those directly connected to the Internet. If that is not possible, then firewalls should be configured to filter traffic on UDP and TCP port 427. This will prevent external attackers from accessing the SLP service.
Take action now
CVE-2023-29552 is a threat that can potentially impact business continuity and result in financial loss, even if an attacker has limited resources. Organizations must implement appropriate security measures to safeguard their networks and servers from being used in such attacks. One effective way to protect against SLP vulnerabilities is by implementing robust network security controls such as firewalls.
It is equally important to enforce strong authentication and access controls, allowing only authorized users to access the correct network resources, with access being closely monitored and audited. Organizations should also have an incident response plan in place that clearly outlines procedures for mitigating SLP vulnerabilities, as well as procedures for communicating with users and stakeholders in case of an incident.
Implementing strong security measures and access controls can reduce the risk of falling victim or unwillingly participating in these types of attacks, while incident response plans can mitigate the effects of such an attack.
E.R
Comments
Post a Comment