CVE-2012-4428
📋 TL;DR
CVE-2012-4428 is a buffer overflow vulnerability in the SLPIntersectStringList() function of OpenSLP that can cause denial of service. Attackers can crash the OpenSLP service by sending specially crafted Service Location Protocol packets. Systems running vulnerable versions of OpenSLP are affected.
💻 Affected Systems
- OpenSLP
📦 What is this software?
Fedora by Fedoraproject
Openslp by Openslp
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service of the OpenSLP service, potentially disrupting network service discovery and affecting dependent applications.
Likely Case
Service crash requiring manual restart, causing temporary disruption to service discovery functionality.
If Mitigated
Minimal impact with proper network segmentation and access controls limiting SLP traffic.
🎯 Exploit Status
Exploit requires network access to OpenSLP service port (427). Proof of concept code has been publicly available since 2012.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenSLP 2.0.0 and later
Vendor Advisory: https://access.redhat.com/security/cve/cve-2012-4428
Restart Required: Yes
Instructions:
1. Update OpenSLP to version 2.0.0 or later using your distribution's package manager. 2. For RHEL/CentOS: yum update openslp. 3. For Ubuntu/Debian: apt-get update && apt-get install openslp. 4. Restart the OpenSLP service or reboot the system.
🔧 Temporary Workarounds
Disable OpenSLP Service
linuxStop and disable the OpenSLP service if not required
systemctl stop slpd
systemctl disable slpd
Block SLP Port with Firewall
linuxBlock access to SLP port 427/tcp and 427/udp
iptables -A INPUT -p tcp --dport 427 -j DROP
iptables -A INPUT -p udp --dport 427 -j DROP
🧯 If You Can't Patch
- Implement network segmentation to restrict access to OpenSLP service
- Use host-based firewalls to block incoming connections to port 427
🔍 How to Verify
Check if Vulnerable:
Check OpenSLP version: slptool -v or rpm -q openslp or dpkg -l openslpCheck Version:
slptool -v 2>/dev/null || openslp -v 2>/dev/null || rpm -q openslp || dpkg -l openslp | grep openslpVerify Fix Applied:
Verify OpenSLP version is 2.0.0 or higher and service is running without crashes📡 Detection & Monitoring
Log Indicators:
- OpenSLP service crashes in system logs
- Segmentation fault errors related to slpd process
Network Indicators:
- Unusual traffic to port 427/tcp or 427/udp
- Malformed SLP packets
SIEM Query:
process:slpd AND (event_type:crash OR signal:SIGSEGV)🔗 References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159059.html
- http://www.openwall.com/lists/oss-security/2012/09/13/27
- http://www.securityfocus.com/bid/55540
- http://www.ubuntu.com/usn/USN-2730-1
- https://access.redhat.com/security/cve/cve-2012-4428
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4428
- https://bugzilla.suse.com/show_bug.cgi?id=CVE-2012-4428
- https://exchange.xforce.ibmcloud.com/vulnerabilities/78732
- https://security-tracker.debian.org/tracker/CVE-2012-4428
- https://security.gentoo.org/glsa/201707-05
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159059.html
- http://www.openwall.com/lists/oss-security/2012/09/13/27
- http://www.securityfocus.com/bid/55540
- http://www.ubuntu.com/usn/USN-2730-1
- https://access.redhat.com/security/cve/cve-2012-4428
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4428
- https://bugzilla.suse.com/show_bug.cgi?id=CVE-2012-4428
- https://exchange.xforce.ibmcloud.com/vulnerabilities/78732
- https://security-tracker.debian.org/tracker/CVE-2012-4428
- https://security.gentoo.org/glsa/201707-05
