Login Sign Up

CVE-2022-29608

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in ONOS (Open Network Operating System) allows attackers to create network loops by crafting malicious intents with intermediate port specifications. This affects organizations using ONOS for software-defined networking, potentially causing network degradation or denial of service.

💻 Affected Systems

Products:
  • ONOS (Open Network Operating System)
Versions: 2.5.1 (specific version mentioned in CVE)
Operating Systems: Linux-based systems running ONOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects ONOS deployments using the Intent Framework for network path programming.

📦 What is this software?

Onos by Opennetworking

View all CVEs affecting Onos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Network-wide denial of service due to broadcast storms and resource exhaustion, potentially disrupting all network communications.

🟠

Likely Case

Localized network performance degradation, packet loss, and intermittent connectivity issues affecting specific network segments.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring that can quickly detect and isolate loops.

🌐 Internet-Facing: MEDIUM - While ONOS controllers are typically internal, exposed management interfaces could allow exploitation.
🏢 Internal Only: HIGH - Internal attackers or compromised systems can exploit this to disrupt critical network infrastructure.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires access to ONOS API or management interface to submit malicious intents. Academic research paper exists but no public exploit code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later versions of ONOS (check ONOS project for specific fixed version)

Vendor Advisory: https://wiki.onosproject.org/display/ONOS/Security+Advisories

Restart Required: Yes

Instructions:

1. Check ONOS security advisories for patch details. 2. Upgrade to patched ONOS version. 3. Restart ONOS controller services. 4. Verify intent framework functionality.

🔧 Temporary Workarounds

Intent Validation Restriction

linux

Implement input validation to reject intents with intermediate ports in path specifications

# Requires ONOS application development
# Implement custom intent validator that checks for intermediate ports

Network Loop Detection

all

Deploy network monitoring to detect and mitigate loops quickly

# Use tools like sFlow, NetFlow, or ONOS own monitoring features
# Configure alerts for broadcast storm detection

🧯 If You Can't Patch

  • Restrict access to ONOS management interfaces using network ACLs and authentication
  • Implement strict intent submission policies and review all network path changes

🔍 How to Verify

Check if Vulnerable:

Check ONOS version: 'onos-version' command or web UI. If running 2.5.1, system is vulnerable.

Check Version:

onos-version

Verify Fix Applied:

After upgrade, test intent submission with intermediate ports - should be rejected. Verify no invalid flow rules are installed.

📡 Detection & Monitoring

Log Indicators:

  • Invalid flow rule installation logs
  • Intent submission errors
  • Network loop detection alerts

Network Indicators:

  • Unusual broadcast traffic patterns
  • High port utilization on switches
  • Packet TTL expiration alerts

SIEM Query:

source="onos" AND ("invalid flow" OR "loop detected" OR "intent error")

📊 Metadata

CVE ID: CVE-2022-29608
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: April 20, 2023
Last Updated: February 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON