Introduction
CVE-2017-1000357 [1] describes a Denial of Service vulnerability in the OpenDaylight odl-l2switch-switch component. If successfully exploited this vulnerability causes the OpenDaylight process to crash, so it’s best not to try this on a live network.
Affected Versions
This vulnerability affected OpenDaylight versions 3.3 (Lithium-SR3), 3.4 (Lithium-SR4), 4.0 (Beryllium), 4.1 (Beryllium-SR1), 4.2 (Beryllium-SR2), and 4.4 (Beryllium-SR4). It’s likely that earlier versions are vulnerable but these were not officially tested or reported to be vulnerable.
Exploiting the Vulnerability
This vulnerability is very easy to exploit so long as the attacker has access to the SDN controller channel and TLS is not enabled for switch connections. Exploiting the vulnerability is a simple as flooding a large number of OpenFlow Hello messages at a high rate. This can be done using sdnpwn’s of-gen module like so:
sudo ./sdnpwn.py of-gen -t 192.168.56.110 -p 6653 -c 100000 -d .0001 --hello
The above command will target the controller with IP address 192.168.56.110 on port 6653. Packets will be flooded at a rate of 1 per .0001 seconds until 100,000 messages have been sent. The controller should crash within 20,000 messages being sent, but if it doesn’t it will definitely crash within 100,000.
Mitigation
As of writing this no patch has been announced for the affected versions, however recent versions of OpenDaylight are not vulnerable to the issue. If an older version of the controller is being operated in a network it’s recommended to upgrade to a newer version of OpenDaylight. If an upgrade is not possible then exposure of the OpenFlow services running on the controller (port 6633 and 6653) should be limited to trusted devices. If OpenFlow is not being used as a Southbound protocol then the OpenFlow services should be disabled.
References
[1] https://wiki.opendaylight.org/view/Security:Advisories#.5BModerate.5D_CVE-2017-1000357_Denial_of_Service_attack_when_the_switch_rejects_to_receive_packets_from_the_controller