CVE-2017-1000411

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

OpenFlow Plugin and OpenDayLight Controller versions Nitrogen, Carbon, Boron, Robert Varga, Anil Vishnoi contain a flaw when multiple 'expired' flows take up the memory resource of CONFIG DATASTORE which leads to CONTROLLER shutdown. If multiple different flows with 'idle-timeout' and 'hard-timeout' are sent to the Openflow Plugin REST API, the expired flows will eventually crash the controller once its resource allocations set with the JVM size are exceeded. Although the installed flows (with timeout set) are removed from network (and thus also from controller's operations DS), the expired entries are still present in CONFIG DS. The attack can originate both from NORTH or SOUTH. The above description is for a north bound attack. A south bound attack can originate when an attacker attempts a flow flooding attack and since flows come with timeouts, the attack is not successful. However, the attacker will now be successful in CONTROLLER overflow attack (resource consumption). Although, the network (actual flow tables) and operational DS are only (~)1% occupied, the controller requests for resource consumption. This happens because the installed flows get removed from the network upon timeout.

OpenFlow Plugin y OpenDayLight Controller, en versiones Nitrogen, Carbon, Boron, Robert Varga y Anil Vishnoi, contienen un error cuando múltiples flujos "expirados" consumen los recursos de memoria de CONFIG DATASTORE, lo que conduce a un cierre de CONTROLLER. Si se envían múltiples flujos diferentes con "idle-timeout" y "hard-timeout" a la API REST de Openflow Plugin, los flujos expirados acabarán cerrando el controlador inesperadamente una vez se excedan as asignaciones de memoria establecidas con el tamaño de la máquina virtual Java. Aunque los flujos instalados (con tiempo de espera establecido) se eliminan de la red (y, por lo tanto, también del DS de operaciones del controlador), las entradas expiradas siguen presentes en CONFIG DS. El ataque puede surgir tanto de una vertical de arriba como de abajo. La descripción anterior corresponde a un ataque desde arriba. Puede darse un ataque desde abajo cuando un atacante intenta realizar una inundación de flujos y, ya que los flujos incluyen tiempos de espera, el ataque no tiene éxito. Sin embargo, el atacante sí tendrá éxito en un ataque de desbordamiento de CONTROLLER (consumo de recursos). Aunque el DS de red (las tablas de flujo) y de operaciones solo está ocupado en un 1% aproximadamente, el controlador pide consumo de recursos. Esto ocurre debido a que los flujos instalados se eliminan de la red una vez ha pasado el tiempo de espera.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-12-28 CVE Reserved
2018-01-31 CVE Published
2023-12-11 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-404: Improper Resource Shutdown or Release

CAPEC

References (2)

URL	Tag	Source
http://seclists.org/oss-sec/2018/q1/52	Mailing List
http://www.securityfocus.com/bid/102736	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Opendaylight Search vendor "Opendaylight"		Opendaylight Search vendor "Opendaylight" for product "Opendaylight"				boron Search vendor "Opendaylight" for product "Opendaylight" and version "boron"		-		Affected
Opendaylight Search vendor "Opendaylight"		Opendaylight Search vendor "Opendaylight" for product "Opendaylight"				carbon Search vendor "Opendaylight" for product "Opendaylight" and version "carbon"		-		Affected
Opendaylight Search vendor "Opendaylight"		Opendaylight Search vendor "Opendaylight" for product "Opendaylight"				nitrogen Search vendor "Opendaylight" for product "Opendaylight" and version "nitrogen"		-		Affected
Opendaylight Search vendor "Opendaylight"		Openflow Search vendor "Opendaylight" for product "Openflow"				boron Search vendor "Opendaylight" for product "Openflow" and version "boron"		opendaylight		Affected
Opendaylight Search vendor "Opendaylight"		Openflow Search vendor "Opendaylight" for product "Openflow"				carbon Search vendor "Opendaylight" for product "Openflow" and version "carbon"		opendaylight		Affected
Opendaylight Search vendor "Opendaylight"		Openflow Search vendor "Opendaylight" for product "Openflow"				nitrogen Search vendor "Opendaylight" for product "Openflow" and version "nitrogen"		opendaylight		Affected