CVE-2017-1000411 Information

Description

OpenFlow Plugin and OpenDayLight Controller versions Nitrogen Carbon Boron Robert Varga Anil Vishnoi contain a flaw when multiple ’expired’ flows take up the memory resource of CONFIG DATASTORE which leads to CONTROLLER shutdown. If multiple different flows with ‘idle-timeout’ and ‘hard-timeout’ are sent to the Openflow Plugin REST API the expired flows will eventually crash the controller once its resource allocations set with the JVM size are exceeded. Although the installed flows (with timeout set) are removed from network (and thus also from controller’s operations DS) the expired entries are still present in CONFIG DS. The attack can originate both from NORTH or SOUTH. The above description is for a north bound attack. A south bound attack can originate when an attacker attempts a flow flooding attack and since flows come with timeouts the attack is not successful. However the attacker will now be successful in CONTROLLER overflow attack (resource consumption). Although the network (actual flow tables) and operational DS are only (~)1 occupied the controller requests for resource consumption. This happens because the installed flows get removed from the network upon timeout.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Reference

http://seclists.org/oss-sec/2018/q1/52 http://www.securityfocus.com/bid/102736

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

7.5