SLP Protocol Denial-of-Service Guidance
SLP Protocol Denial-of-Service Guidance
SLP Protocol Denial-of-Service Guidance
Lenovo Security Advisory: LEN-123896
Potential Impact: Denial of Service
Severity: High
Scope of Impact: Industry-wide
CVE Identifier: CVE-2023-29552
Summary Description:
A UDP-based reflection amplification denial-of-service (DOS) vulnerability was reported in SLP (Service Location Protocol), a service discovery protocol that allows devices to find services within a local area network without prior configuration. By design, SLP does not enforce authentication and packets are transmitted using UDP. This vulnerability allows a device supporting SLP to be used as a traffic generator for performing DOS attacks against other devices. There is no fix available as this behavior is inherent to the SLP protocol.
Lenovo ThinkSystem V3 servers do not support SLP. Other Lenovo storage, networking, and server products support SLP for device discovery on a network. If XClarity Administrator (LXCA) or other system management tools that require SLP for discovery are not in use, it is recommended to disable SLP where possible.
Mitigation Strategy for Customers (what you should do to protect yourself):
Recommended mitigations include:
- Disable SLP where possible.
- Only connect device system management interfaces to trusted, secure networks. Do not expose device system management interfaces to untrusted networks such as the internet.
- Use host-based and network firewalls to limit access from hosts and networks to the system management interface and from the system management interface to other hosts and networks.
- Limit network access to only trusted users.
ThinkSystem Server and Management Applications customers please note: Lenovo ThinkSystem V3 servers do not support SLP.
See https://lenovopress.lenovo.com/lp1260-how-to-harden-the-security-of-your-thinksystem-server for guidance on disabling SLP.
For IMM users:
Through OneCLI, SLP can be disabled with the following command: config set IMM.SLPPortControl Closed -imm <UserName>@<IMM2 IP>
Reboot IMM2 for changes to take effect.
ThinkAgile customers:
For Nutanix software, see https://www.nutanix.com/trust/security-advisories for risk exposure, resolution and mitigations.
For VMware software and appliances, see https://blogs.vmware.com/security/2023/04/vmware-response-to-cve-2023-29552-reflective-denial-of-service-dos-amplification-vulnerability-in-slp.html for risk exposure, resolution and mitigations.
References:
https://www.cve.org/CVERecord?id=CVE-2023-29552
Revision History:
Revision | Date | Description |
---|---|---|
1 | 2023-05-09 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Your feedback helps to improve the overall experience