Bug 2183534 (CVE-2023-29552)

Summary: CVE-2023-29552 openslp: Reflective denial of service amplification attack via UDP
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact: Šárka Jana <sjanderk>
Priority: high    
Version: unspecifiedCC: sjanderk, vcrhonek, ymittal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
.The Service Location Protocol (SLP) is vulnerable to an attack through UDP The OpenSLP provides a dynamic configuration mechanism for applications in local area networks, such as printers and file servers. However, SLP is vulnerable to a reflective denial of service amplification attack through UDP on systems connected to the internet. SLP allows an unauthenticated attacker to register new services without limits set by the SLP implementation. By using UDP and spoofing the source address, an attacker can request the service list, creating a Denial of Service on the spoofed address. To prevent external attackers from accessing the SLP service, disable SLP on all systems running on untrusted networks, such as those directly connected to the internet. Alternatively, to work around this problem, configure firewalls to block or filter traffic on UDP and TCP port 427.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2184567, 2184568, 2184569, 2184570, 2184571, 2189600    
Bug Blocks: 2183535    

Description Pedro Sampaio 2023-03-31 14:22:51 UTC 
Service Location Protocol (SLP) are vulnerable to a reflective denial of service amplification attack via UDP. SLP allows an unauthenticated attacker to register new services up to whatever limits set by the SLP implementation. Using UDP and spoofing the source address, an attacker can request the service list, creating a DoS attack on the spoofed address. The amplificaiton factor can reach 2200x.
Comment 2 Sandipan Roy 2023-04-25 16:28:33 UTC 
Created openslp tracking bugs for this issue:

Affects: fedora-all [bug 2189600]
Comment 4 Vitezslav Crhonek 2023-06-19 10:20:09 UTC 
This flaw is a network protocol design flaw, a software fix is not easily possible.

SLP was not intended to be made available to the public Internet. According to RFC 2165 ([1]):
"Service Location provides a dynamic configuration mechanism for
applications in local area networks.  It is not a global resolution
system for the entire Internet; rather it is intended to serve
enterprise networks with shared services."

SLP should be disabled on all systems running on untrusted networks, like those directly connected to the Internet.
If that is not possible, then firewalls should be configured to block or filter traffic on UDP and TCP port 427.
This will prevent external attackers from accessing the SLP service.

[1] https://datatracker.ietf.org/doc/html/rfc2165
Comment 7 Šárka Jana 2023-08-10 12:22:20 UTC 
Hi @msiddiqu please do not change any markup in the Doc Text field. Thank you.