The Service Location Protocol (SLP) is intended to allow the automated discovery of shared services within a local area network (LAN) without the need for prior configuration on the part of client systems. Its primary use to date has been to facilitate the identification and use of shared network printers.
The vulnerability –CVE-2023-29552 (CVSS score: 8.6), is said to impact more than 2,000 global organizations and over 54,000 SLP instances that are accessible over the internet.
This includes VMWare ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), SMC IPMI, and 665 other product types.
The collateral impact of SLP reflection/amplification attacks is potentially significant for organizations whose internet-exposed VMWare ESXi servers or other SLP-enabled systems can be abused as DDoS reflectors/amplifiers. This may include partial or full interruption of all applications and services in all virtual machines (VMs) running on these systems, as well as additional service disruption due to transit capacity consumption, state-table exhaustion of NATs and stateful firewalls, etc.
“This flaw is easily exploitable and should be considered particularly dangerous to the global community given the large-scale amplification that can be achieved,” Pedro Umbelino, principal security researcher at BitSight, said via email.
Currently supported services, including ESXi 7.x and 8.x lines are not impacted by the amplification attack, according to VMware.
All potential DDoS attack mitigation/suppression measures described in this document *MUST* be tested and customized in a situationally-appropriate manner prior to deployment on production networks.