Bug 1578652 – CVE-2018-1000155 openflow: Denial of Service, Improper Authentication and Authorization, and Covert Channel in the OpenFlow handshake

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1578652 - (CVE-2018-1000155) CVE-2018-1000155 openflow: Denial of Service, Improper Authentication and Authorization, and Covert Channel in the OpenFlow handshake

Summary:	CVE-2018-1000155 openflow: Denial of Service, Improper Authentication and Aut...

Status:	NEW

Aliases:	CVE-2018-1000155

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180509,repor...
Keywords:	Security

Depends On:	1579653 1579654 1579655 1579656 1579657 1579658
Blocks:	1578654
	Show dependency tree / graph

Reported:	2018-05-16 01:41 EDT by Sam Fowler
Modified:	2018-09-23 22:54 EDT (History)
CC List:	15 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Sam Fowler 2018-05-16 01:41:18 EDT

The OpenFlow handshake does not require the controller to authenticate switches during the OpenFlow handshake. Furthermore, the controller is not required to authorize switches access to the controller. The absence of authentication and authorization in the OpenFlow handshake allows one or more malicious switches connected to an OpenFlow controller to cause Denial of Service attacks in certain OpenFlow controllers by spoofing OpenFlow switch identifiers known as DataPath Identifiers (DPIDs). Additionally, the lack of authentication and authorization in the OpenFlow handshake can be exploited by malicious switches for covert communications, bypassing data plane (and potentially control plane) security mechanisms. In particular, the OpenFlow "Features Reply" message sent by the switch is inherently trusted by the controller. Note that for the attacker to launch an attack, the OpenFlow switch must first establish a (secure) transport connection with the OpenFlow controller (e.g., TLS and TCP), and the switch must be controlled by the attacker.


External Reference:

http://seclists.org/oss-sec/2018/q2/99

Comment 1 James Hebden 2018-05-17 01:28:31 EDT

Review of ODL packaging and OpenFlow plugin show that we are impacted by the vulnerability described in the CVE, given we package and enable the OpenFlow plugin, and by default - no encryption or authentication is required for the initial controller handshake. A malicious OpenFlow client could handshake with the controller, as described in the CVE. The mitigation available is to enable TLS, which is supported by the OpenDayLight OpenFlow plugin, and would require registered switches and new switches to have correct TLS certificates before a session could be opened with the controller, mitigating the potential attack. The reference configuration should enable this TLS support to mitigate this CVE.

Comment 2 James Hebden 2018-05-18 01:20:14 EDT

Mitigation:

Enable TLS in OpenFlow plugin. Upstream documentation is a useful resource.
https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support

Note You need to log in before you can comment on or make changes to this bug.