CVE-2023-29552
Publication date 24 April 2023
Last updated 17 December 2024
Ubuntu priority
The Service Location Protocol (SLP, RFC 2608) allows an unauthenticated, remote attacker to register arbitrary services. This could allow the attacker to use spoofed UDP traffic to conduct a denial-of-service attack with a significant amplification factor.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| openslp-dfsg | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Ignored see notes | |
| 14.04 LTS trusty | Ignored end of ESM support, was ignored [see notes] |
Notes
sbeattie
The SLP protocol was never meant to be made available to the public Internet, as the RFC 2165 authors recognize: "Service Location provides a dynamic configuration mechanism for applications in local area networks. It is not a global resolution system for the entire Internet; rather it is intended to serve enterprise networks with shared services."
hlibk
The package does not seem to be maintained anymore by upstream, as there have not been any updates to the package since 2022.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |