CVE-2023-29552

What is the Service Location Protocol?

Service Location Protocol (SLP) is an IETF-standardized network protocol (RFC 2608, 1999) designed to let computers automatically discover services on a local area network without manual configuration — the equivalent of a network-wide "yellow pages." SLP runs on port 427 over both UDP and TCP. SLP agents come in three roles: User Agents (clients looking for services), Service Agents (servers advertising services), and Directory Agents (centralizing service listings for large networks).

SLP was widely embedded in enterprise and industrial equipment throughout the 2000s and 2010s: network printers, copiers, VMware ESXi hypervisors, IBM integrated management modules, and countless other network-attached devices ship with SLP enabled by default, often on management interfaces that face internal networks — and sometimes the internet.

Overview

CVE-2023-29552 is a reflection/amplification denial-of-service vulnerability in SLP that allows an unauthenticated remote attacker to register arbitrary services and craft spoofed UDP requests to generate a response flood against a victim with an amplification factor of up to 2,200x — among the largest amplification factors ever documented in a DDoS vulnerability. The issue was discovered by BitSight and Curesec researchers, who identified over 54,000 internet-accessible SLP-enabled devices. CISA issued an advisory recommending immediate disablement of SLP on internet-facing systems on the same day of disclosure; however, active exploitation was not confirmed until months later, when CISA added it to the KEV catalog in November 2023.

Affected Versions

This is a protocol-level vulnerability — any implementation of SLP that allows unauthenticated service registration over UDP and sends responses larger than requests is affected. No single vendor patch resolves it; mitigation is disablement or network-level blocking.

Technical Details

SLP amplification works by exploiting two design properties of the protocol:

1. Unauthenticated service registration: SLP accepts new service registrations from any host on the network without authentication. An attacker can register hundreds or thousands of fake services with large attribute strings.
2. UDP response larger than request: An SLP service request (small UDP packet) causes the SLP daemon to respond with a listing of registered services. If many services are registered, the response is significantly larger than the request.
3. UDP spoofing: Because UDP is connectionless, an attacker who controls a host with spoofing capability can send small requests with the victim's IP address as the source. The SLP server sends large responses to the victim.

By pre-populating a target SLP server with thousands of fake service registrations, attackers create a reflector that amplifies traffic up to 2,200x: a 29-byte request becomes a 65,000-byte response. Even a modest attack infrastructure can generate terabit-scale floods when thousands of internet-exposed SLP servers are used as reflectors. CISA's required action (disable SLP on port 427/UDP) is the only reliable mitigation because the amplification is inherent to the protocol's design.

Discovery

Pedro Umbelino of BitSight and researchers at Curesec discovered CVE-2023-29552 and published their findings on April 25, 2023, coordinating with CISA for simultaneous advisory publication. BitSight's internet scan identified more than 54,000 devices from over 670 product types with internet-accessible SLP services — many of which belonged to high-value organizations in financial services, healthcare, and technology.

Exploitation Context

Reflection/amplification DDoS attacks are a well-established technique used to generate overwhelming traffic volumes with minimal attacker resources. Prior high-profile amplification vectors include NTP (556x), Memcached (51,200x), and DNS (179x). CVE-2023-29552's 2,200x amplification places it in the top tier of observed amplification factors. The November 2023 KEV addition — six months after disclosure — confirms that threat actors moved past proof-of-concept to operationalize SLP as a DDoS reflector, with confirmed impact on real targets. Enterprise organizations with internet-accessible legacy infrastructure (printers, hypervisor management, server management cards) that haven't audited their external attack surface are most at risk.

Remediation

1. Disable SLP on all internet-facing systems — block or firewall port 427/UDP and 427/TCP at the network perimeter; this is CISA's required action.
2. Audit internal systems for internet-exposed SLP — use a network scanner or firewall logs to identify any SLP-enabled services reachable from untrusted networks (not just the internet).
3. Apply vendor-specific patches where available — check with hardware and software vendors for firmware updates that disable SLP by default or remove the vulnerable registration functionality.
4. Disable SLP at the device level for all devices where the management console allows it — even internal SLP should be disabled on devices that don't require service discovery.
5. Configure network-level anti-spoofing (BCP38) — implement egress filtering to prevent your own network from being used to source spoofed amplification traffic.
6. Monitor for outbound traffic spikes on port 427 — unusual spikes in SLP response traffic may indicate your infrastructure is being used as an unwitting reflector.