CVE-2023-29552: 
Linux Red Hat vulnerability analysis and mitigation

The Service Location Protocol (SLP, RFC 2608) vulnerability (CVE-2023-29552) was discovered in April 2023 by researchers from Bitsight and Curesec. This high-severity vulnerability allows an unauthenticated, remote attacker to register arbitrary services, enabling them to conduct denial-of-service attacks with a significant amplification factor. The vulnerability affects over 54,000 SLP instances across more than 2,000 global organizations, including systems such as VMware ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module, and SMC IPMI (Bitsight Blog).

The vulnerability has a CVSS score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The attack leverages SLP's feature that allows unauthenticated users to register arbitrary services. While typical SLP responses result in an amplification factor between 1.6x and 12x, by manipulating service registration, attackers can achieve an amplification factor as high as 2,200x, making it potentially one of the largest amplification attacks ever reported. The attack involves finding an SLP server on UDP port 427, registering services until the SLP denies more entries, and then using spoofed UDP traffic to direct the amplified response to the victim (Bitsight Blog, CISA Alert).

Successful exploitation of this vulnerability could lead to massive Denial-of-Service (DoS) attacks, potentially causing significant financial, reputational, and operational harm to targeted organizations. Small to medium-sized businesses could face average costs of $120,000 per attack, with larger organizations potentially facing even greater financial losses due to service disruptions (Bitsight Blog).

Organizations should implement the following mitigations: 1) Disable SLP on all systems running on untrusted networks, particularly those directly connected to the Internet, 2) Configure firewalls to filter traffic on UDP and TCP port 427, 3) For VMware ESXi systems, upgrade to supported release lines (ESXi 7.0 U2c and newer, and ESXi 8.0 GA and newer) where SLP service is hardened and disabled by default (VMware Blog, Bitsight Blog).

VMware has responded by confirming that currently supported ESXi releases (ESXi 7.x and 8.x lines) are not impacted, while older versions that have reached end of general support are vulnerable. CISA has conducted extensive outreach to potentially impacted vendors and added the vulnerability to their Known Exploited Vulnerabilities catalog (VMware Blog).