CVE-2020-18685 – CVE-2020-18685 is an input validation vulnerabi... (How to Fix)

Q: What is the severity of CVE-2020-18685?

CVE-2020-18685 has a CVSS score of 9.8 (CRITICAL). CVE-2020-18685 is an input validation vulnerability in Floodlight SDN controller that allows attackers to bypass security checks and potentially execute arbitrary code or disrupt network operations. It affects Floodlight installations through version 1.2 due to insufficient validation of TCP/UDP ports, group IDs, and table IDs in the StaticFlowEntryPusherResource component.

📋 TL;DR

CVE-2020-18685 is an input validation vulnerability in Floodlight SDN controller that allows attackers to bypass security checks and potentially execute arbitrary code or disrupt network operations. It affects Floodlight installations through version 1.2 due to insufficient validation of TCP/UDP ports, group IDs, and table IDs in the StaticFlowEntryPusherResource component.

💻 Affected Systems

Products:

Floodlight SDN Controller

Versions: through 1.2

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All Floodlight deployments using StaticFlowEntryPusherResource with default configurations are vulnerable.

📦 What is this software?

Floodlight by Atlassian

View all CVEs affecting Floodlight →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete compromise of the SDN controller, enabling network-wide disruption, data interception, or lateral movement to connected systems.

🟠

Likely Case

Network flow manipulation allowing unauthorized traffic redirection, denial of service to specific network segments, or bypassing of security policies.

🟢

If Mitigated

Limited impact if proper network segmentation and controller access controls are implemented, potentially only affecting isolated management networks.

🌐 Internet-Facing: HIGH - Floodlight controllers exposed to internet could be directly exploited without authentication.

🏢 Internal Only: HIGH - Even internally, compromised controllers can affect entire network infrastructure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to Floodlight REST API (typically port 8080). The vulnerability is in the checkFlow function which fails to validate input parameters properly.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.1 or later

Vendor Advisory: https://github.com/floodlight/floodlight

Restart Required: Yes

Instructions:

1. Download Floodlight 1.2.1 or later from official repository. 2. Stop Floodlight service. 3. Replace existing installation with patched version. 4. Restart Floodlight service. 5. Verify functionality.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict access to Floodlight REST API to trusted management networks only

iptables -A INPUT -p tcp --dport 8080 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

Disable Static Flow Pusher

all

Temporarily disable the vulnerable StaticFlowEntryPusherResource module

Edit floodlightdefault.properties: net.floodlightcontroller.staticflowentry.StaticFlowEntryPusher.enable=false

🧯 If You Can't Patch

Implement strict network segmentation to isolate Floodlight controller from untrusted networks
Deploy network monitoring to detect anomalous flow modification attempts

🔍 How to Verify

Check if Vulnerable:

Check Floodlight version: grep 'version' floodlight/logs/floodlight.log or examine build properties

Check Version:

java -jar floodlight.jar --version

Verify Fix Applied:

Verify version is 1.2.1 or later and test StaticFlowEntryPusher API with invalid parameters to ensure proper validation

📡 Detection & Monitoring

Log Indicators:

Invalid parameter errors in StaticFlowEntryPusher logs
Unexpected flow modification requests
Failed validation messages

Network Indicators:

Unusual REST API requests to port 8080 with malformed parameters
Abnormal OpenFlow message patterns

SIEM Query:

source="floodlight.log" AND ("StaticFlowEntryPusher" OR "checkFlow") AND (error OR invalid OR exception)

📊 Metadata

CVE ID: CVE-2020-18685

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: September 30, 2021

Last Updated: November 21, 2024

🔗 References

https://drive.google.com/open?id=1oIt6jViGxLALUkLVELsQpC26MJYFZt2U Exploit,Third Party Advisory
https://drive.google.com/open?id=1oIt6jViGxLALUkLVELsQpC26MJYFZt2U Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-18685, you might also want to check these: