Internet protocol vulnerability opens door to ‘massive’ DoS amplification attacks
Researchers have discovered a high-severity vulnerability in a legacy internet protocol which they warned could be used to launch “massive” denial-of-service (DoS) attacks capable of knocking services offline.
The vulnerability was jointly discovered by cyber risk firm Bitsight and IT security company Curesec, which published a report on Tuesday. Because of the “criticality of the vulnerability and the potential consequences resulting from exploitation” researchers coordinated with impacted organizations and the Cybersecurity and Infrastructure Security Agency, which also released an advisory about the issue on Tuesday.
@BitSight and @Curesec have jointly discovered a high-severity vulnerability in the Service Location Protocol (SLP), potentially exposing unsuspecting organizations to massive Denial-of-Service (DoS) amplification attacks. Discover more: https://t.co/vjqDblhMei #DoS #SLP pic.twitter.com/81u3U8Gd9t— Bitsight (@BitSight) April 25, 2023
The vulnerability affects the Service Location Protocol, an outdated internet protocol for applications in local area networks, which allows network systems to communicate with each other. According to researchers, the protocol was never intended to be used for the “public” internet, but nonetheless they found 54,000 instances of SLP connections to the internet.
The vulnerability potentially allows attackers to conduct what are known as reflective DoS amplification attacks, in which the threat actor sends requests to a server using a spoofed IP address that corresponds to the victim's IP address.
“The server then replies to the victim's IP address, sending much larger responses than the requests, generating large amounts of traffic to the victim’s system,” researchers said.
In amplification attacks using the new vulnerability — referred to as CVE-2023-29552 — an attacker “can manipulate both the content and the size of the server reply, resulting in a maximum amplification factor of over 2200X.”
That amplification factor makes it hypothetically “one of the largest amplification attacks ever reported.”
By comparison, the average amplification factor of a DNS protocol attack is between 28X and 54X, according to CISA.
Among potentially affected products were VMware ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module and Supermicro IPMI.
VMware published a response to the vulnerability disclosure, saying that currently supported versions of its ESXi product are not impacted. Older versions, including 6.7 and 6.5, are potentially affected.
In its advisory, CISA urged IT administrators to disable network access to SLP servers.
James Reddick has worked as a journalist around the world, including in Lebanon and in Cambodia, where he was Deputy Managing Editor of The Phnom Penh Post. He is also a radio and podcast producer for outlets like Snap Judgment.