HIGH: Accessible SLP Service Report

DESCRIPTION LAST UPDATED: 2023-12-27

DEFAULT SEVERITY LEVEL: HIGH

Introduction

This report identifies accessible SLP (Service Location Protocol) services on port 427/TCP and 427/UDP.  As described in wikipedia: “The Service Location Protocol (SLP, srvloc) is a service discovery protocol that allows computers and other devices to find services in a local area network without prior configuration”.

A number of vulnerabilities have been discovered in services implementing SLP, such as openSLP. Most notably this includes VMware ESXi with vulnerabilities such as CVE-2021-21974 (CVSS 8.8), CVE-2020-3992 (CVSS 9.8), CVE-2019-5544 (CVSS 9.8).

It is speculated the above may be exploited in recent VMware ESXiArgs ransomware attacks. For more information on the initial discovery of those attacks, see CERT-FR alert bulletin CERTFR-2023-ALE-015.

How we scan 

We scan by sending a function 1 message (Service Request), we expect a function 2 (Service Reply) back. We set the version to version 2.

We do not perform any intrusive checks on a discovered service.

Dashboard

You can track exposed SLP services on our Dashboard.

Mitigation

If you receive this report from us for your network or constituency make sure to firewall traffic to this service or disable it entirely. See: How to Disable/Enable the SLP Service on VMware ESXi. Make sure to follow VMware advice.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

This report has an IPv4 and IPv6 version.

Filename: scan_slp, scan6_slp

 

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that response came on (TCP or UDP)
  • port
    Port that the response came from (typically port 427)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Tag set to "slp"
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sector
    Sector the identified device belongs to
  • version
    Version of SLP in use. We're expecting Version 2
  • function
    What function is responding. Given that we are sending a function 1 message (Service Request), we expect a function 2 (Service Reply) back
  • function_text
    The text version of the message in the function field
  • flags
    Codes for conditions in the message. Since we are sending a small unicast message, we expect to get a response of 0x0000
  • next_extension_offset
    If it is a large response and the message is split across multiple packets, this tells the offset. In our case, it should be 0
  • xid
    Transaction ID. We're sending the request with an ID of 5, so we expect the same back
  • language_tag_length
    How many characters are in the language_tag
  • language_tag
    The language that the messages are in. Usually 'en'
  • error_code
    Numeric version of the error code that we have returned to our probe. Usually a '0', '4', '5', or '50'
  • error_code_text
    Text version of the error_code that makes sense to humans
  • response_size
    The size of the original hex encoded response
  • raw_response
    The original response that we processed, encoded in base64

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","version","function","function_text","flags","next_extension_offset","xid","language_tag_length","language_tag","error_code","error_code_text","response_size","raw_response"
"2010-02-10 00:00:00",high,192.168.0.1,tcp,427,node01.example.com,slp,64512,ZZ,Region,City,0,ptr,"Communications, Service Provider, and Hosting Service",2,2,"Service reply",0x0000,0,5,2,en,4,"Scope list not supported",40,NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=
"2010-02-10 00:00:01",high,192.168.0.2,tcp,427,node02.example.com,slp,64512,ZZ,Region,City,0,,,2,2,"Service reply",0x0000,0,5,2,en,50,"Unknown SRVLOC Error",40,NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=
"2010-02-10 00:00:02",high,192.168.0.3,tcp,427,node03.example.com,slp,64512,ZZ,Region,City,0,,,2,2,"Service reply",0x0000,0,5,2,en,5,"Unsupported SLP SPI",40,NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=

Our 131 Report Types

« Back to Network Reporting