April 27, 2023

Service Location Protocol (SLP) Vulnerability Affecting Various Products

Researchers discovered a new vulnerability in the Service Location Protocol (SLP).
SLP is a protocol created to provide configuration for local area networks. Using SLP, a system registers itself with a directory agent, which makes its services available to other systems. Daemons providing SLP are bound to the default port 427, both UDP and TCP.

The Vulnerability

• CVE-2023-29552 (CVSS score: 8.6, High) – Successful exploit of the vulnerability could allow an unauthenticated, remote threat actor to register arbitrary services, and to use spoofed UDP traffic to execute denial-of-service (DoS) attacks with amplification factor of up to 2,200X.

Affected Products

More than 670 different product types, including VMware ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), SMC IPMI, and many others.

Mitigation

VMware ESXi

CYREBRO recommends updating to ESXi 7.0 U2C and newer, and to ESXi 8.0 GA and newer.

Workaround

• SLP should be disabled on all systems running on untrusted networks if possible.
• If disabling SLP is not possible, then firewalls should be configured to filter traffic on UDP and TCP port 427.

References: NIST