CVE-2023-29552 Overview
The Service Location Protocol (SLP, RFC 2608) contains a critical vulnerability that allows an unauthenticated, remote attacker to register arbitrary services. This flaw enables attackers to leverage spoofed UDP traffic to conduct denial-of-service attacks with a significant amplification factor. SLP is a legacy service discovery protocol commonly used in enterprise environments to allow systems to locate services on a local network without prior configuration.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Attackers can achieve massive traffic amplification (reported up to 2,200x) for devastating DDoS attacks against targeted infrastructure.
Affected Products
- VMware ESXi (all versions with SLP enabled)
- SUSE Linux Enterprise Server (versions 11, 12, and 15)
- SUSE Manager Server
- NetApp SMI-S Provider
- Service Location Protocol implementations (RFC 2608)
Discovery Timeline
- April 25, 2023 - CVE-2023-29552 published to NVD
- April 25, 2023 - CISA issues alert on Service Location Protocol abuse
- October 31, 2025 - Last updated in NVD database
Technical Details for CVE-2023-29552
Vulnerability Analysis
This vulnerability exists within the Service Location Protocol's design, which lacks authentication mechanisms for service registration. The protocol was designed for internal network service discovery but has been increasingly exposed to the internet on enterprise systems, particularly VMware ESXi hypervisors. When SLP services are accessible from the internet on UDP port 427, attackers can exploit the protocol's response characteristics to amplify malicious traffic.
The amplification occurs because SLP responses can be significantly larger than the initial requests. An attacker can craft small SLP requests that generate disproportionately large responses, which are then directed at a victim IP address through IP spoofing. Research indicates amplification factors as high as 2,200x are achievable, making this one of the most potent amplification vectors discovered.
Root Cause
The fundamental root cause lies in the SLP protocol design itself (RFC 2608), which does not require authentication for service registration or querying. The protocol allows any party to:
- Register arbitrary services with the SLP directory agent
- Query for services and receive potentially large response payloads
- Send requests via UDP, which is susceptible to IP address spoofing
The combination of unauthenticated access, UDP-based communication, and variable response sizes creates the conditions necessary for amplification-based denial-of-service attacks.
Attack Vector
The attack leverages network-accessible SLP services exposed on UDP port 427. Attackers scan the internet for exposed SLP services, register numerous fake services to inflate response sizes, then send spoofed requests with the victim's IP as the source address. The SLP servers respond to the victim with amplified traffic, overwhelming the target's network capacity.
The attack flow involves:
- Attacker identifies internet-exposed SLP services through scanning
- Attacker registers multiple fake services to increase response payload size
- Attacker sends SLP requests with spoofed source IP (victim's address)
- SLP servers respond with amplified traffic directed at the victim
- Victim's infrastructure is overwhelmed by the reflected traffic
Detection Methods for CVE-2023-29552
Indicators of Compromise
- Unexpected outbound traffic spikes on UDP port 427 from SLP-enabled systems
- Large numbers of SLP service registrations from external IP addresses
- Unusual SLP query patterns indicating reconnaissance or amplification attempts
- Network traffic logs showing UDP port 427 responses to external addresses
Detection Strategies
- Monitor firewall logs for inbound connections to UDP port 427 from untrusted networks
- Implement network intrusion detection rules for anomalous SLP traffic patterns
- Deploy SentinelOne Singularity platform for endpoint visibility on ESXi and Linux hosts
- Audit systems for SLP service exposure using port scanning tools
Monitoring Recommendations
- Configure SIEM alerts for UDP port 427 traffic anomalies
- Monitor bandwidth utilization for signs of amplification attack participation
- Review SLP service logs for unauthorized service registrations
- Implement NetFlow or sFlow analysis to detect reflective traffic patterns
How to Mitigate CVE-2023-29552
Immediate Actions Required
- Disable SLP service on all systems where it is not required for business operations
- Block UDP port 427 at network perimeter firewalls to prevent external access
- Configure host-based firewalls to restrict SLP access to trusted internal networks only
- Audit all VMware ESXi hosts and Linux servers for SLP service status
Patch Information
Vendors have released guidance and updates to address this vulnerability. VMware recommends disabling SLP on ESXi hosts or restricting access via firewall rules. SUSE has provided configuration guidance through their Knowledge Base Article. NetApp has issued Security Advisory NTAP-20230426-0001 with specific remediation steps for SMI-S Provider deployments.
Organizations should review the VMware Security Response and the CISA Alert for comprehensive mitigation guidance.
Workarounds
- Disable SLP daemon/service using systemctl stop slpd && systemctl disable slpd on Linux systems
- For VMware ESXi, stop the SLP service using /etc/init.d/slpd stop and disable it in firewall rules
- Implement network segmentation to isolate systems requiring SLP from internet-facing networks
- Deploy rate limiting on SLP responses to reduce amplification potential
# Disable SLP on VMware ESXi
/etc/init.d/slpd stop
esxcli network firewall ruleset set -r CIMSLP -e false
chkconfig slpd off
# Disable SLP on SUSE Linux Enterprise Server
systemctl stop slpd
systemctl disable slpd
# Block SLP at firewall (iptables example)
iptables -A INPUT -p udp --dport 427 -j DROP
iptables -A OUTPUT -p udp --sport 427 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
