The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an alert for a vulnerability in n the Service Location Protocol (SLP). Tracked as CVE-2023-29552, it has been given a high severity rating with a CVSS score of 7.8. Successful exploitation of the vulnerability will allow an attacker to launch a denial-of-service attack. CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog, requesting users to patch it before November 29, 2023.
Security researchers from Bitsight and Curesec jointly discovered the vulnerability in April. Bitsight has mentioned in their blog that they have found over 2,000 global organizations and over 54,000 SLP instances — including VMware ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), SMC IPMI, and others. These organizations around the globe were vulnerable to DoS attacks.
SLP protocol provides a dynamic configuration mechanism for applications in local area networks. Systems on a network can locate and communicate using SLP protocol. To accomplish this, it uses a directory of available services, which may include file servers, printers, and other network resources.
VMware has addressed reflective denial-of-service amplification vulnerability in SLP for ESXi in April 2023. An attacker may exploit this vulnerability to stage a DoS attack with a high amplification factor. An attacker may cause severe damage to the targeted network and/or server via a reflection DoS amplification attack.
Affected versions
The vulnerability affects VMware ESXi version 6.7.x.
Mitigation
Customers are requested to upgrade to VMware ESXi 7.0 U2c and ESXi 8.0 GA and newer to patch the vulnerability.
For more information, please refer to the VMware Blog.
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
Qualys Policy Compliance’s Out-of-the-Box Mitigation or Compensatory Controls reduce the risk of a vulnerability being exploited because the remediation (fix/patch) cannot be done now; these security controls are not recommended by any industry standards such as CIS, DISA-STIG.
Qualys Policy Compliance team releases these exclusive controls based on Vendor-suggested Mitigation/Workaround.
Mitigation refers to a setting, common configuration, or general best-practice existing in a default state that could reduce the severity of the exploitation of a vulnerability.
A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn’t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned.
The following Qualys Policy Compliance Control IDs (CIDs) and System Defined Controls (SDC) have been published to support the evaluation of recommended mitigations:
- 22453 Status of the ‘SLPD Service’ running on the ESXi host
- 22451 Status of the ‘SLPD Service’ startup policy on the ESXi host
- 22403 Status of the ‘SLPD Service’ service on the system
- 26962 Status of the ‘SLPD service’ using chkconfig
Qualys Detection
Qualys customers can scan their devices with QIDs 216311 and 216312 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.bitsight.com/blog/new-high-severity-vulnerability-cve-2023-29552-discovered-service-location-protocol-slp
https://blogs.vmware.com/security/2023/04/vmware-response-to-cve-2023-29552-reflective-denial-of-service-dos-amplification-vulnerability-in-slp.html