CVE-2025-29310
📋 TL;DR
A critical vulnerability in ONOS v2.7.0 allows attackers to execute arbitrary commands or access network information by sending a specially crafted LLDP packet. This affects any system running the vulnerable ONOS version that processes LLDP packets. Attackers can potentially gain full control of affected network controllers.
💻 Affected Systems
- ONOS (Open Network Operating System)
📦 What is this software?
Onos by Opennetworking
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the ONOS controller allowing attackers to execute arbitrary commands, modify network configurations, intercept traffic, and potentially pivot to other network systems.
Likely Case
Unauthorized access to network information, potential denial of service, and limited command execution within the ONOS environment.
If Mitigated
Limited impact if network segmentation prevents external access to ONOS management interfaces and LLDP packet filtering is implemented.
🎯 Exploit Status
The GitHub gist contains technical details and likely exploit code. Attackers can craft malicious LLDP packets without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
1. Monitor ONOS project announcements for patches. 2. Consider upgrading to a newer version if available. 3. Apply workarounds immediately.
🔧 Temporary Workarounds
Block LLDP packets to ONOS
linuxConfigure network firewalls or ONOS itself to drop or filter LLDP packets before they reach the vulnerable component.
# Example iptables rule to block LLDP (EtherType 0x88cc) to ONOS port
iptables -A INPUT -p ether --ether-type 0x88cc -j DROP
Network segmentation
allIsolate ONOS management interfaces from untrusted networks and limit which systems can send LLDP packets to ONOS.
🧯 If You Can't Patch
- Implement strict network access controls to limit which systems can communicate with ONOS management interfaces.
- Deploy intrusion detection systems to monitor for suspicious LLDP traffic patterns and potential exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check ONOS version: cat $ONOS_HOME/VERSION or via ONOS CLI. If version is 2.7.0, the system is vulnerable.Check Version:
cat /opt/onos/VERSION 2>/dev/null || echo 'Check ONOS installation directory'Verify Fix Applied:
Verify that LLDP packet filtering is working by attempting to send LLDP packets and confirming they are blocked/dropped.📡 Detection & Monitoring
Log Indicators:
- Unusual LLDP packet processing errors
- Unexpected command execution in ONOS logs
- Abnormal network configuration changes
Network Indicators:
- Malformed LLDP packets directed at ONOS management IPs
- Unusual outbound connections from ONOS controller
SIEM Query:
source="onos" AND ("LLDP" OR "deserialization" OR "packet processing error")