CVE-2018-1000155 – This vulnerability in OpenFlow allows attackers... (How to Fix)

Q: What is the severity of CVE-2018-1000155?

CVE-2018-1000155 has a CVSS score of 9.8 (CRITICAL). This vulnerability in OpenFlow allows attackers to spoof DPID values during the OpenFlow handshake, enabling denial of service attacks and unauthorized network access. It affects any system using OpenFlow version 1.0 or later for software-defined networking. Network controllers that trust DPID values without proper validation are vulnerable.

📋 TL;DR

This vulnerability in OpenFlow allows attackers to spoof DPID values during the OpenFlow handshake, enabling denial of service attacks and unauthorized network access. It affects any system using OpenFlow version 1.0 or later for software-defined networking. Network controllers that trust DPID values without proper validation are vulnerable.

💻 Affected Systems

Products:

OpenFlow implementations
SDN controllers using OpenFlow
Network switches with OpenFlow support

Versions: OpenFlow 1.0 and later versions

Operating Systems: All operating systems running OpenFlow implementations

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using OpenFlow protocol without DPID validation is vulnerable. The vulnerability is in the protocol specification itself.

📦 What is this software?

Openflow by Opennetworking

View all CVEs affecting Openflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network disruption through DoS, unauthorized administrative access to network infrastructure, and potential lateral movement through compromised controllers.

🟠

Likely Case

Network instability and service disruption through DoS attacks, with potential for unauthorized access to network segments.

🟢

If Mitigated

Minimal impact with proper DPID validation and network segmentation in place.

🌐 Internet-Facing: HIGH - OpenFlow controllers exposed to internet are directly exploitable via network connection.

🏢 Internal Only: MEDIUM - Requires internal network access but could still impact critical infrastructure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires establishing a transport connection to the OpenFlow controller, which is typically straightforward in vulnerable configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Varies by vendor - check specific OpenFlow implementation

Vendor Advisory: https://opennetworking.org/security-advisories/

Restart Required: Yes

Instructions:

1. Identify your OpenFlow implementation and version. 2. Check vendor for specific patches. 3. Apply patches that implement DPID validation. 4. Restart OpenFlow services. 5. Verify DPID validation is working.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to OpenFlow controllers to trusted networks only

iptables -A INPUT -p tcp --dport 6633 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 6633 -j DROP

DPID Whitelisting

all

Implement DPID validation at controller level if not patched

# Configuration varies by controller - implement DPID validation logic

🧯 If You Can't Patch

Implement strict network access controls to OpenFlow controllers
Deploy intrusion detection systems to monitor for DPID spoofing attempts

🔍 How to Verify

Check if Vulnerable:

Test if OpenFlow controller accepts spoofed DPID values during handshake using available PoC tools

Check Version:

Check OpenFlow implementation documentation or use vendor-specific version commands

Verify Fix Applied:

Verify that DPID validation is implemented and spoofed DPID values are rejected

📡 Detection & Monitoring

Log Indicators:

Multiple connection attempts with different DPIDs
Unexpected DPID values in OpenFlow logs
Failed handshake attempts

Network Indicators:

Unusual OpenFlow handshake patterns
Traffic to OpenFlow port 6633 from untrusted sources
Multiple TCP connections to controller

SIEM Query:

source_port=6633 AND (event_type="openflow_handshake" OR protocol="openflow") | stats count by src_ip, dpid

📊 Metadata

CVE ID: CVE-2018-1000155

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: May 24, 2018

Last Updated: November 21, 2024

🔗 References

http://users.sec.t-labs.tu-berlin.de/~hashkash/openflow/BrianOnosSecurityRequest.pdf Mailing List,Third Party Advisory
http://users.sec.t-labs.tu-berlin.de/~hashkash/openflow/BrianOnosSecurityRequest.pdf Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-1000155, you might also want to check these: