Obscure Network Protocol Has Flaw That Could Unleash DDoSService Location Protocol Amplifies Queries by Up to 2,200 Times
An obscure routing protocol codified during the 1990s has come roaring back to attention after researchers found a flaw that would allow attackers to initiate massive distributed denial-of-service attacks. Researchers from Bitsight and Curesec say they found a bug in Service Location Protocol.
Service Location Protocol, the brainchild of executives from Sun Microsystems and a now-defunct internet service provider, was envisioned as a dynamic method of discovering resources such as printers on a closed enterprise network.
Researchers from Bitsight and Curesec uncovered a flaw in the protocol tracked as CVE-2023-29552 that allows attackers to coax an outsized response. A simple 29-byte request could result in a reply that is 2,200 times greater, the researchers said, making the flaw a good candidate for attackers launching DDoS amplification attacks.
By spoofing the IP address of a target, attackers could send a tidal wave of Service Location Protocol to overwhelm the computing resources of a victim.
Service Location Protocol isn't supposed to be exposed to the internet, but it is. Researchers searching for networked resources accepting SLP traffic found more than 54,000 of them online belonging to organizations spread across the globe. Among the affected devices, said Bitsight and Curesec, are Konica Minolta printers, Planex Routers and the IBM Integrated Management Module. In a response to the findings, VMware said its currently supported ESXi hypervisors are not affected by the flaw, but "releases that have reached end of general support" are.
The U.S. Cybersecurity and Infrastructure Agency said many of the online SLP devices appear to be older and likely abandoned.
A typical reply packet size from an SLP server is between 48 and 350 bytes, researchers wrote. That means that the typical network traffic amplification factor for a legitimate response peaks at about 12 times more than the request.
The uncovered flaw allows an unauthenticated user to register arbitrary new services, "meaning an attacker can manipulate both the content and the size of the server reply." That's when the amplification factor shoots up to 2,200 times, due to the 65,000-byte response SLP can return.
To ensure that SLP servers aren't exploited by a user, Bitsight and Curesec said organizations should make sure SLP is disabled on all systems running on untrusted networks, such as those facing the internet. Failing that, system administrators should configure the firewall to filter traffic on port 427, the Internet Assigned Number Authority-assigned default port for Service Location Protocol.