Cyber Security Threat Summary:
An obscure routing protocol codified during the 1990s has come roaring back to attention after researchers found a flaw that would allow attackers to initiate massive distributed denial-of-service attacks. Researchers from Bitsight and Curesec say they found a bug in Service Location Protocol. Service Location Protocol, the brainchild of executives from Sun Microsystems and a now-defunct internet service provider, was envisioned as a dynamic method of discovering resources such as printers on a closed enterprise network. Researchers from Bitsight and Curesec uncovered a flaw in the protocol tracked as CVE-2023-29552 that allows attackers to coax an outsized response. A simple 29-byte request could result in a reply that is 2,200 times greater, the researchers said, making the flaw a good candidate for attackers launching DDoS amplification attacks. By spoofing the IP address of a target, attackers could send a tidal wave of Service Location Protocol to overwhelm the computing resources of a victim. Service Location Protocol isn't supposed to be exposed to the internet, but it is. Researchers searching for networked resources accepting SLP traffic found more than 54,000 of them online belonging to organizations spread across the globe. Among the affected devices, said Bitsight and Curesec, are Konica Minolta printers, Planex Routers and the IBM Integrated Management Module. In a response to the findings, VMware said its currently supported ESXi hypervisors are not affected by the flaw, but "releases that have reached end of general support" are.

Security Officer Comments:
The U.S. Cybersecurity and Infrastructure Agency said many of the online SLP devices appear to be older and likely abandoned. A typical reply packet size from an SLP server is between 48 and 350 bytes, researchers wrote. That means that the typical network traffic amplification factor for a legitimate response peaks at about 12 times more than the request. The uncovered flaw allows an unauthenticated user to register arbitrary new services, "meaning an attacker can manipulate both the content and the size of the server reply." That's when the amplification factor shoots up to 2,200 times, due to the 65,000-byte response SLP can return.

Suggested Corrections:
Applying port filtering on TCP & UDP port 427 ingress and egress into your network is recommended.

You can find out your network has SLP on your network using Shadowserver.org’s Accessible SLP Service Reports. This is part of Shadowserver’s Daily Network Reports, a free “Cyber-Civil Defense” service.

https://www.shadowsrver.org/what-we-do/network-reporting/accessible-slp-service-report/

Shadowserver has a dashboard image to help see the locations of the SLP Risk.

https://dashboard.shadowserver.org/

Source: https://www.senki.org/new-slp-ddos-amplification-can-overload-your-network/
https://www.bankinfosecurity.com/obscure-network-protocol-has-flaw-that-could-unleash-ddos-a-21863