SB2018052811 - Authentication bypass in Open Networking Foundation OpenFlow
Published: May 28, 2018
Security Bulletin ID
SB2018052811
Severity
Low
Patch available
NO
Number of vulnerabilities
1
Exploitation vector
Adjecent network
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Authentication bypass (CVE-ID: CVE-2018-1000155)
The vulnerability allows an adjacent attacker to bypass authentication on the target system.The weakness exists due to improper authentication and authorization between an affected OpenFlow controller and a switch communicating with the controller during an OpenFlow handshake. An adjacent attacker who has access to a switch and is able to establish a secure connection with a targeted OpenFlow controller can spoof DataPath Identifiers (DPIDs), send features_reply messages from the switch that the targeted controller would inherently trust and cause the service to crash or bypass security restrictions.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.