CVE-2022-29606 – A vulnerability in ONOS 2.5.1 allows network op... (How to Fix)

Q: What is the severity of CVE-2022-29606?

CVE-2022-29606 has a CVSS score of 9.8 (CRITICAL). A vulnerability in ONOS 2.5.1 allows network operators to create intents with large port numbers that cause system inconsistencies. When exploited, this leads to misleading CORRUPT state displays and mismatches between intent and flow rules, potentially disrupting network operations. This affects organizations using ONOS for software-defined networking.

📋 TL;DR

A vulnerability in ONOS 2.5.1 allows network operators to create intents with large port numbers that cause system inconsistencies. When exploited, this leads to misleading CORRUPT state displays and mismatches between intent and flow rules, potentially disrupting network operations. This affects organizations using ONOS for software-defined networking.

💻 Affected Systems

Products:

ONOS (Open Network Operating System)

Versions: 2.5.1 specifically (and potentially earlier versions with similar intent handling)

Operating Systems: Linux-based systems where ONOS is deployed

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using ONOS intent framework with port-based intents. Requires operator access to create intents.

📦 What is this software?

Onos by Opennetworking

View all CVEs affecting Onos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Network-wide disruption with inconsistent flow rules causing traffic blackholing, routing loops, or complete network segmentation failures.

🟠

Likely Case

Network operators misled by incorrect CORRUPT state displays, leading to troubleshooting delays and potential misconfiguration of network policies.

🟢

If Mitigated

Minor operational confusion with no actual network impact if proper validation controls are implemented.

🌐 Internet-Facing: LOW - ONOS controllers are typically deployed in internal network management planes.

🏢 Internal Only: HIGH - Directly impacts network management and control plane operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires authenticated operator access but simple to execute.

Exploitation requires network operator privileges to create intents with large port numbers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ONOS versions after 2.5.1 (check latest stable release)

Vendor Advisory: https://wiki.onosproject.org/display/ONOS/Security+Advisories

Restart Required: Yes

Instructions:

1. Backup current ONOS configuration. 2. Upgrade to latest ONOS version. 3. Restart ONOS controller. 4. Verify intent framework functionality.

🔧 Temporary Workarounds

Input Validation for Intent Creation

all

Implement custom validation to reject intents with port numbers outside valid range (1-65535).

# Add validation in intent creation scripts/APIs
# Example: if port > 65535: reject intent

Operator Training and Policies

all

Train network operators to avoid creating intents with invalid port numbers and implement approval workflows.

🧯 If You Can't Patch

Implement strict input validation at API/CLI level for all intent creation operations
Monitor intent CORRUPT states and alert on unusual patterns or large port number usage

🔍 How to Verify

Check if Vulnerable:

Check ONOS version: if running 2.5.1, test by creating an intent with port number > 65535 and observing CORRUPT state behavior.

Check Version:

onos-version or check ONOS web UI dashboard for version information

Verify Fix Applied:

After upgrade, attempt to create intent with invalid port number - should be rejected with proper error message.

📡 Detection & Monitoring

Log Indicators:

Intent state transitions to CORRUPT
Error logs mentioning port validation failures
Intent creation attempts with large port numbers

Network Indicators:

Mismatch between configured intents and actual flow rules
Unexpected network traffic patterns

SIEM Query:

source="onos" AND ("CORRUPT" OR "port" AND "invalid")

📊 Metadata

CVE ID: CVE-2022-29606

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: April 20, 2023

Last Updated: February 5, 2025

🔗 References

https://wiki.onosproject.org/display/ONOS/Intent+Framework Product
https://www.usenix.org/system/files/sec23fall-prepub-285_kim-jiwon.pdf Exploit,Technical Description,Third Party Advisory
https://wiki.onosproject.org/display/ONOS/Intent+Framework Product
https://www.usenix.org/system/files/sec23fall-prepub-285_kim-jiwon.pdf Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29606, you might also want to check these: