[CDP-development] TLP:GREEN - (Vulnerability Alert Notification) - CVE-2023-29552 Service Location Protocol (SLP) Denial-of-Service Vulnerability

Wed Nov 8 10:33:16 PST 2023

Good morning,

The SOC Services team is reporting on the vulnerability: CVE-2023-29552: Service Location Protocol (SLP) Denial-of-Service Vulnerability. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On November 8, 2023, CISA added CVE-2023-29552 an vulnerability with a CVSS score of 7.5 to the Known Exploited Vulnerabilities Catalog. The Service Location Protocol (SLP, RFC 2608) allows an unauthenticated, remote attacker to register arbitrary services.

This vulnerability is not vendor specific, thus detailed patch information cannot be provided. Please check with your software vendors for additional guidance.

This list does not include all vendors, please check with your software providers for additional information.
Vulnerable software versions:

  *   Red Hat Enterprise Linux 6 (openslp package)
  *   Red Hat Enterprise Linux 7 (openslp package)
  *   Red Hat Enterprise Linux 9 (openslp package)
  *   Unsupported ESXI releases
Not affected software versions:

  *   Red Hat Enterprise Linux 8 (openslp package)
  *   Currently supported ESXI releases (ESXI 7.x and 8.x)

Intelligence: As of November 8, 2023, the vulnerability has been confirmed as being exploited in the wild.

Workarounds: To prevent external attackers from accessing the SLP service, disable SLP on all systems running on untrusted networks, such as those directly connected to the internet. Additionally, configure firewalls to block or filter traffic on UDP and TCP port 427.

How it works: The OpenSLP provides a dynamic configuration mechanism for applications in local area networks, such as printers and file servers. However, SLP is vulnerable to a reflective denial of service amplification attack through UDP on systems connected to the internet. SLP allows an unauthenticated attacker to register new services without limits set by the SLP implementation. By using UDP and spoofing the source address, an attacker can request the service list, creating a Denial of Service on the spoofed address.

Post-Exploit: Upon successful exploitation of the vulnerability, a threat actor could execute arbitrary java code or possibly system code.

As of May 23, 2023, the following vulnerability plugin has been released and is currently in Tenable Security Center:
Plugin
Title
Severity
176249<https://www.tenable.com/plugins/nessus/176249>
ESXi < 7.0 Reflected Denial of Service
High

Recommended Actions:

  *   Check for the vulnerability with your software providers.
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

[cid:image001.png at 01DA1228.41D857A0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231108/97178733/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231108/97178733/attachment-0001.png>