A legacy protocol that shouldn’t be exposed to the internet has a bug that allows it to be exploited for reflected denial-of-service (DoS) amplification attacks, America’s Cyber and Infrastructure Security Administration has warned.
The 1990s-era Service Locator Protocol (SLP, defined in RFC-2165) was intended to help local area network admins by letting systems automatically discover network service (such as storage, printers and the like).
However, as Bitsight and Curesec discovered, there are thousands of RFC-2165 instances exposed to the internet, and SLP can be exploited to amplify DoS attacks, because a small query to the service can trigger a vastly larger response.
By sending a 29 byte packet spoofed to the victim’s IP address to an SLP daemon, the attacker can get a response 12 times larger, up to 350 bytes.
However, the attacker can also exploit SLP’s registration process by anonymously registering new services with the server. This can yield an amplification of as much as 2200 times, generating responses of 65,000 bytes.
“This extremely high amplification factor allows for an under-resourced threat actor to have a significant impact on a targeted network and/or server via a reflective DoS amplification attack," Bitsight said.
Bitsight and Curesec said they found more than 54,000 hosts on the internet that will respond to SLP requests, and further, that there are more than 670 products that speak the protocol.
SLP uses UDP over port 427, so blocking the port can mitigate the problem.
The researchers said vendors with possibly vulnerable products include VMware, Konica Minolta, router vendor Planex, IBM, SMC and others.
VMware has provided a response to the bug, saying currently supported ESXi releases are not impacted, but end-of-support versions may be.
The bug has been designated CVE-2023-29552.
