2183534 – (CVE-2023-29552) CVE-2023-29552 openslp: Reflective denial of service amplification attack via UDP

Bug 2183534 (CVE-2023-29552) - CVE-2023-29552 openslp: Reflective denial of service amplification attack via UDP

Summary: CVE-2023-29552 openslp: Reflective denial of service amplification attack via...

Keywords:
Status:	NEW
Alias:	CVE-2023-29552
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:	Šárka Jana
URL:
Whiteboard:
Depends On:	2189600 2184567 2184568 2184569 2184570 2184571
Blocks:	2183535
TreeView+	depends on / blocked

Reported:	2023-03-31 14:22 UTC by Pedro Sampaio
Modified:	2023-11-10 11:32 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	.The Service Location Protocol (SLP) is vulnerable to an attack through UDP The OpenSLP provides a dynamic configuration mechanism for applications in local area networks, such as printers and file servers. However, SLP is vulnerable to a reflective denial of service amplification attack through UDP on systems connected to the internet. SLP allows an unauthenticated attacker to register new services without limits set by the SLP implementation. By using UDP and spoofing the source address, an attacker can request the service list, creating a Denial of Service on the spoofed address. To prevent external attackers from accessing the SLP service, disable SLP on all systems running on untrusted networks, such as those directly connected to the internet. Alternatively, to work around this problem, configure firewalls to block or filter traffic on UDP and TCP port 427.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2023-03-31 14:22:51 UTC

Service Location Protocol (SLP) are vulnerable to a reflective denial of service amplification attack via UDP. SLP allows an unauthenticated attacker to register new services up to whatever limits set by the SLP implementation. Using UDP and spoofing the source address, an attacker can request the service list, creating a DoS attack on the spoofed address. The amplificaiton factor can reach 2200x.

Comment 2 Sandipan Roy 2023-04-25 16:28:33 UTC

Created openslp tracking bugs for this issue:

Affects: fedora-all [bug 2189600]

Comment 4 Vitezslav Crhonek 2023-06-19 10:20:09 UTC

This flaw is a network protocol design flaw, a software fix is not easily possible.

SLP was not intended to be made available to the public Internet. According to RFC 2165 ([1]):
"Service Location provides a dynamic configuration mechanism for
applications in local area networks.  It is not a global resolution
system for the entire Internet; rather it is intended to serve
enterprise networks with shared services."

SLP should be disabled on all systems running on untrusted networks, like those directly connected to the Internet.
If that is not possible, then firewalls should be configured to block or filter traffic on UDP and TCP port 427.
This will prevent external attackers from accessing the SLP service.

[1] https://datatracker.ietf.org/doc/html/rfc2165

Comment 7 Šárka Jana 2023-08-10 12:22:20 UTC

Hi @msiddiqu please do not change any markup in the Doc Text field. Thank you.

Note You need to log in before you can comment on or make changes to this bug.