OpenDaylight JIRA https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 [OPNFLWPLUG-1012] Denial of Service, Improper Authentication and, Authorization, and Covert Channel in the OpenFlow 1.0+ handshake https://jira.opendaylight.org/browse/OPNFLWPLUG-1012 OpenFlowPlugin <p>The following CVE was raised against the OpenFlow Plugin, but we were informed after it went public, so creating this as an open Jira ticket with no security context label to keep it private:</p> <p><a href="http://www.openwall.com/lists/oss-security/2018/05/09/4" class="external-link" target="_blank" rel="nofollow noopener">http://www.openwall.com/lists/oss-security/2018/05/09/4</a></p> <p> We have identified issues with a popular Software-Defined Networking protocol, OpenFlow. Below are the details of the vulnerabilities. OpenFlow controller implementations should strongly consider addressing these issues, and OpenFlow adopters should be aware of such security risks.</p> <p>CVE-2018-1000155: Denial of Service, Improper Authentication and Authorization, and Covert Channel in the OpenFlow handshake Severity:</p> <p>Important Vendor: Open Networking Foundation (ONF), OpenFlow controllers</p> <p>Versions Affected: OpenFlow specification 1.0 onwards</p> <p>Description: The OpenFlow handshake does not require the controller to authenticate switches during the OpenFlow handshake. Furthermore, the controller is not required to authorize switches access to the controller. The absence of authentication and authorization in the OpenFlow handshake allows one or more malicious switches connected to an OpenFlow controller to cause Denial of Service attacks in certain OpenFlow controllers by spoofing OpenFlow switch identifiers known as DataPath Identifiers (DPIDs). Additionally, the lack of authentication and authorization in the OpenFlow handshake can be exploited by malicious switches for covert communications, bypassing data plane (and potentially control plane) security mechanisms. In particular, the OpenFlow "Features Reply" message sent by the switch is inherently trusted by the controller. Note that for the attacker to launch an attack, the OpenFlow switch must first establish a (secure) transport connection with the OpenFlow controller (e.g., TLS and TCP), and the switch must be controlled by the attacker.</p> <p>Mitigation: The attack can be deterred if OpenFlow connections are secured via the following hardened authentication scheme: Unique TLS certificates for switches, white-list of switch DPIDs at controllers which also includes the switches’ respective public-key certificate identifier, and lastly a controller mechanism that verifies the DPID announced in the OpenFlow handshake is over the TLS connection with the associated (DPID) certificate.</p> <p> A patch was developed and released by onos: <a href="https://github.com/opennetworkinglab/onos/commit/f69e3e34092139600404681798cebeefebcfa6c6" class="external-link" target="_blank" rel="nofollow noopener">https://github.com/opennetworkinglab/onos/commit/f69e3e34092139600404681798cebeefebcfa6c6</a></p> <p>Credit: Kashyap Thimmaraju (Technische Universität Berlin), Robert Krösche (Technische Universität Berlin), Liron Schiff (GuardiCore Labs) and Stefan Schmid (University of Vienna)</p> OPNFLWPLUG-1012 Denial of Service, Improper Authentication and, Authorization, and Covert Channel in the OpenFlow 1.0+ handshake Bug High Resolved Done Anil Vishnoi Luke Hinds Tue, 22 May 2018 09:15:01 +0000 Mon, 11 Jun 2018 16:02:59 +0000 Mon, 11 Jun 2018 16:02:59 +0000 0 4 <p><a href="https://jira.opendaylight.org/secure/ViewProfile.jspa?name=Avishnoi" class="user-hover" rel="Avishnoi">Avishnoi</a> please could you verify this as the PTL of OpenFlowPlugin.</p> <p><a href="https://jira.opendaylight.org/secure/ViewProfile.jspa?name=lukehinds" class="user-hover" rel="lukehinds">lukehinds</a> I believe OpenFlow plugin already supports the TLS connections between controller and switches. More details can be found on the following opendaylight documentation.</p> <p> </p> <p><a href="https://docs.opendaylight.org/en/stable-oxygen/user-guide/authentication-and-authorization-services.html?highlight=management#id4" class="external-link" target="_blank" rel="nofollow noopener">https://docs.opendaylight.org/en/stable-oxygen/user-guide/authentication-and-authorization-services.html?highlight=management#id4</a></p> <p><a href="https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support" class="external-link" target="_blank" rel="nofollow noopener">https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support</a></p> <p> </p> <p><a href="https://jira.opendaylight.org/secure/ViewProfile.jspa?name=ecelgp" class="user-hover" rel="ecelgp">ecelgp</a> You recently tested the secure connection (TLS) functionality supported by openflowplugin, do you have any more details to  add to this ticket that user can leverage to setup their environment securely to avoid this attack ?</p> <p> </p> <p>We support TLS authentication for dataplane switches from long time back. These settings are not enabled by default but we understand whoever wants to deploy the OF plugin in production will do that.</p> <p>Also I see a contradiction in the security note:</p> <p>1) "Note that for the attacker to launch an attack, the OpenFlow switch must first establish a (secure) transport connection with the OpenFlow controller"</p> <p>This is also my understanding, no OF negotiation will happen until TLS session is established, so TLS (if supported) effectively protects the OF session.</p> <p>2) In the Mitigation section they suggest a hardening schema including "white-list of switch DPIDs", this for me is an extra layer of security but if TLS is correctly configured with all required switches public certificates I do not see a need for this, unless I am missing something here.</p> <p>Makes sense to me, and this really comes down to standard security measures.</p> <p> </p> <p>&gt; These settings are not enabled by default but we understand whoever wants to deploy the OF plugin in production will do that.</p> <p> </p> <p>Maybe what we could do is add a recommendation that operators deploy with TLS in production and then point to the TLS_Support wiki page on how to set up. Now I know this is likely obvious to us and most users, but at least this way we have it clearly outlined and its easier to find for anyone using <span class="error">&#91;1&#93;</span></p> <p><span class="error">&#91;1&#93;</span> <a href="https://docs.opendaylight.org/en/stable-oxygen/user-guide/openflow-plugin-project-user-guide.html" class="external-link" target="_blank" rel="nofollow noopener">https://docs.opendaylight.org/en/stable-oxygen/user-guide/openflow-plugin-project-user-guide.html</a></p> <p> </p> <p>With that I would be happy to close this as won't fix. </p> <p> </p> <p>Sounds good?</p> <p><a href="https://jira.opendaylight.org/secure/ViewProfile.jspa?name=lukehinds" class="user-hover" rel="lukehinds">lukehinds</a> Make sense to me.</p> <p><a href="https://jira.opendaylight.org/secure/ViewProfile.jspa?name=Avishnoi" class="user-hover" rel="Avishnoi">Avishnoi</a> <a href="https://git.opendaylight.org/gerrit/72745" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/72745</a></p> Development Rank 0|i03esn: