Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 16 Jan 2018 15:12:37 +0000
From: Luke Hinds <lhinds@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: opendaylight-advisory: Multiple "expired" flows consume the memory
 resource of CONFIG DS

Issue

Multiple "expired" flows consume memory resources of CONFIG DS which
leads to Controller shutdown.

The following issue was discovered and reported by Vaibhav Hemant Dixit.

Summary

Multiple "expired" flows take up the memory resource of CONFIG DATASTORE
which leads to CONTROLLER shutdown.

Affected Services / Software

OpenFlow Plugin and OpenDayLight Controller.

Versions: Nitrogen, Carbon, Boron   Robert Varga, Anil Vishnoi -< please
verify versions affected (back to depreciated releases).

Discussion

If multiple different flows with "idle-timeout" and "hard-timeout" are
sent to the Openflow Plugin REST API, the expired flows will eventually
crash the controller once its resource allocations set with the JVM size
are exceeded.

Although the installed flows(with timeout set) are removed from network
(an thus also from controller's operations DS), the expired entries are
still present in CONFIG DS.

The attack can originate both from NORTH or SOUTH. The above description
is for a north bound attack. A south bound attack can originate when an
attacker attempts a flow flooding attack and since flows come with
timeouts, the attack is not successful. However, the attacker will now
be successful in CONTROLLER overflow attack (resource consumption).

Although, the network(actual flow tables) and operational DS are only
(~)1% occupied, the controller requests for resource consumption. This
happens because the installed flows get removed from the network upon
timeout.

Proposed patch

No patches have been made available, as this issue is mitigated by means
of a secure architecture (See Recommended Actions below).

Recommended Actions

Management API’s within OpenDayLight should only ever be deployed within
a segregated private network and never exposed to public networks, this
includes the OpenFlowPlugin. Further protections can be implemented by
deploying a rate limiting proxy (such as OpenRepose, HAProxy, nginx,
mod_ratelimit etc) or web application firewall.

CVE: CVE-2017-1000411

Regards,

Luke Hinds (OpenDayLight Security Manager)



Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.