CVE-2018-1000155
CRITICALOpenFlow 1.0 onwards - Denial of Service and Improper Authorization via DPID Trust in Handshake
Title source: llmDescription
OpenFlow version 1.0 onwards contains a Denial of Service and Improper authorization vulnerability in OpenFlow handshake: The DPID (DataPath IDentifier) in the features_reply message are inherently trusted by the controller. that can result in Denial of Service, Unauthorized Access, Network Instability. This attack appear to be exploitable via Network connectivity: the attacker must first establish a transport connection with the OpenFlow controller and then initiate the OpenFlow handshake.
References (1)
Core 1
Core References
Mailing List, Third Party Advisory x_refsource_misc
http://users.sec.t-labs.tu-berlin.de/~hashkash/openflow/BrianOnosSecurityRequest.pdf
Scores
CVSS v3
9.8
EPSS
0.0121
EPSS Percentile
64.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-863
Status
published
Products (1)
opennetworking/openflow
Published
May 24, 2018
Tracked Since
Feb 18, 2026