CVE-2023-41591 – CVE-2023-41591 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2023-41591?

CVE-2023-41591 has a CVSS score of 9.8 (CRITICAL). CVE-2023-41591 is an authentication bypass vulnerability in ONOS SDN controller that allows attackers to spoof IP/MAC addresses. This enables man-in-the-middle attacks on network communications between hosts. Organizations using ONOS v2.7.0 for software-defined networking are affected.

📋 TL;DR

CVE-2023-41591 is an authentication bypass vulnerability in ONOS SDN controller that allows attackers to spoof IP/MAC addresses. This enables man-in-the-middle attacks on network communications between hosts. Organizations using ONOS v2.7.0 for software-defined networking are affected.

💻 Affected Systems

Products:

Open Network Foundation ONOS

Versions: v2.7.0

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects ONOS deployments using default configurations. Requires network access to ONOS controller.

📦 What is this software?

Onos by Opennetworking

View all CVEs affecting Onos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network compromise allowing interception, modification, and redirection of all traffic between hosts, potentially leading to data theft, service disruption, and lateral movement.

🟠

Likely Case

Selective traffic interception and manipulation between specific hosts, enabling data exfiltration, credential theft, and service disruption.

🟢

If Mitigated

Limited impact through network segmentation and monitoring, with potential for isolated traffic manipulation if other controls fail.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires network access but no authentication. Public proof-of-concept available in GitHub gist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.7.1 or later

Vendor Advisory: https://wiki.onosproject.org/pages/viewpage.action?pageId=16122675

Restart Required: Yes

Instructions:

1. Backup current ONOS configuration. 2. Download and install ONOS v2.7.1 or later from official repository. 3. Restart ONOS service. 4. Verify version and functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate ONOS controller network from untrusted networks using firewalls and VLANs

MAC Address Filtering

all

Implement strict MAC address filtering on network switches to prevent spoofing

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach ONOS controller
Deploy network monitoring and IDS/IPS to detect and block spoofing attempts

🔍 How to Verify

Check if Vulnerable:

Check ONOS version: if running v2.7.0, system is vulnerable

Check Version:

onos-version or check /opt/onos/VERSION file

Verify Fix Applied:

Verify ONOS version is v2.7.1 or later and test IP/MAC address validation functionality

📡 Detection & Monitoring

Log Indicators:

Unexpected IP/MAC address registrations
Multiple hosts with same MAC
ARP spoofing alerts

Network Indicators:

Unusual ARP traffic
Duplicate IP addresses
Unexpected MAC address changes

SIEM Query:

source="onos" AND ("duplicate mac" OR "spoof" OR "unauthorized registration")

📊 Metadata

CVE ID: CVE-2023-41591

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-290

EPSS Score: 0.07% exploit probability (22.1th percentile)

Published: May 29, 2025

Last Updated: June 3, 2025

🔗 References

https://gist.github.com/kjw6855/9764e3f51b89119473e4d2c4f64dca27 Third Party Advisory
https://wiki.onosproject.org/pages/viewpage.action?pageId=16122675 Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41591, you might also want to check these: