CVE-2023-29552
Public on 2023-04-25
Modified on 2024-07-10
Description
The Service Location Protocol (SLP, RFC 2608) allows an unauthenticated, remote attacker to register arbitrary services. This could allow the attacker to use spoofed UDP traffic to conduct a denial-of-service attack with a significant amplification factor.
SLP servers on untrusted networks are prone to UDP amplifications attacks. The issue described here can’t be addressed without breaking the protocol. Use of the SLP protocol should be limited to trusted networks or access to port 427 (UDP and TCP) should be restricted. The affected packages are not installed by default on any Amazon Linux versions.
SLP servers on untrusted networks are prone to UDP amplifications attacks. The issue described here can’t be addressed without breaking the protocol. Use of the SLP protocol should be limited to trusted networks or access to port 427 (UDP and TCP) should be restricted. The affected packages are not installed by default on any Amazon Linux versions.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | openslp | No Fix Planned |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| NVD | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |