CVE-2025-29312 – This vulnerability in ONOS (Open Network Operat... (How to Fix)

📋 TL;DR

This vulnerability in ONOS (Open Network Operating System) v2.7.0 allows attackers to trigger unexpected behavior in devices connected to legacy switches by manipulating link types from indirect to direct. This affects organizations using ONOS for software-defined networking with legacy switch infrastructure. The high CVSS score indicates significant potential impact on network operations.

💻 Affected Systems

Products:

ONOS (Open Network Operating System)

Versions: v2.7.0

Operating Systems: Linux-based systems running ONOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments with legacy switches connected to ONOS controller. Modern SDN switches may not be vulnerable.

📦 What is this software?

Onos by Opennetworking

View all CVEs affecting Onos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network disruption, unauthorized network reconfiguration, potential data interception or manipulation across affected segments, and denial of service to connected devices.

🟠

Likely Case

Network instability, intermittent connectivity issues for devices connected through legacy switches, and potential unauthorized network topology changes.

🟢

If Mitigated

Limited to isolated network segments with proper segmentation and monitoring, causing minor operational disruptions that can be quickly detected and remediated.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires network access to ONOS controller and knowledge of legacy switch connections. The GitHub gist provides technical details but not full exploit code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Monitor ONOS project updates for patch release
2. Consider upgrading to newer ONOS versions if compatible
3. Apply workarounds until official fix is available

🔧 Temporary Workarounds

Network Segmentation

linux

Isolate ONOS controller and legacy switch management interfaces from untrusted networks

# Configure firewall rules to restrict access to ONOS controller
# Example: iptables -A INPUT -s trusted_network -p tcp --dport 8181 -j ACCEPT
# iptables -A INPUT -p tcp --dport 8181 -j DROP

Access Control Lists

all

Implement strict ACLs on legacy switches to prevent unauthorized link type changes

# Configure switch ACLs via CLI
# Example for Cisco: access-list 100 deny tcp any any eq 8181
# access-list 100 permit ip any any

🧯 If You Can't Patch

Implement network monitoring to detect unexpected link type changes
Restrict administrative access to ONOS controller to essential personnel only

🔍 How to Verify

Check if Vulnerable:

Check ONOS version: curl -s http://onos-controller:8181/onos/v1/docs/ | grep 'version'

Check Version:

curl -s http://onos-controller:8181/onos/v1/docs/ | grep -o '"version":"[^"]*"'

Verify Fix Applied:

Monitor for patch announcements from ONOS project and verify version after update

📡 Detection & Monitoring

Log Indicators:

Unexpected link type changes in ONOS logs
Legacy switch connection anomalies
Network topology change events without authorization

Network Indicators:

Unusual traffic patterns between ONOS controller and legacy switches
Unexpected protocol messages on switch management interfaces

SIEM Query:

source="onos.log" AND ("link type change" OR "indirect to direct")

📊 Metadata

CVE ID: CVE-2025-29312

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-670

EPSS Score: 0.15% exploit probability (35.8th percentile)

Published: March 24, 2025

Last Updated: April 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-29312, you might also want to check these: