CVE-2018-1078 in Carbon SR3
Summary
by MITRE
OpenDayLight version Carbon SR3 and earlier contain a vulnerability during node reconciliation that can result in traffic flows that should be expired or should expire shortly being re-installed and their timers reset resulting in traffic being allowed that should be expired.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/14/2020
The vulnerability identified as CVE-2018-1078 affects OpenDayLight versions Carbon SR3 and earlier, specifically within the node reconciliation process. This represents a critical flaw in the software-defined networking (SDN) controller's ability to manage and maintain accurate flow table states across network nodes. The issue stems from improper handling of flow expiration mechanisms during reconciliation operations, which can lead to persistent network traffic flows that should have been terminated according to their configured timeouts.
The technical root cause of this vulnerability lies in the reconciliation algorithm's failure to properly account for flow expiration timers when processing node state updates. During node reconciliation, the system should accurately determine which flows have expired and remove them from the forwarding tables while preserving active flows. However, the flawed implementation causes the system to incorrectly reset expiration timers for flows that should be removed, effectively prolonging their validity beyond the intended timeframes. This behavior creates a persistent state where traffic flows remain active in the network even after their designated expiration periods, violating fundamental network security and resource management principles.
The operational impact of this vulnerability extends beyond simple traffic management issues, as it fundamentally compromises the integrity of the network's flow table maintenance processes. Network administrators may observe unexpected traffic patterns where old flows continue to forward packets despite having expired, potentially leading to resource exhaustion as inactive flows accumulate in the forwarding tables. The vulnerability creates a window where malicious actors could exploit the prolonged flow lifetimes to maintain unauthorized access paths or disrupt normal network operations. This behavior directly contradicts the expected behavior of SDN controllers, which should maintain precise control over flow lifetimes and ensure proper cleanup of expired resources.
The flaw manifests particularly in scenarios involving node failures, network topology changes, or regular reconciliation processes where the controller attempts to synchronize flow states across distributed network elements. When reconciliation occurs, the system's improper timer handling causes it to re-install flows that should have been removed, effectively resetting their expiration countdowns. This creates a cascading effect where flows can persist indefinitely, consuming network resources and potentially allowing unauthorized traffic patterns to continue operating within the network infrastructure.
From a security perspective, this vulnerability aligns with CWE-691, which addresses insufficient control flow management, and relates to ATT&CK technique T1071.004 for application layer protocol: DNS, where prolonged flow lifetimes could enable extended periods of unauthorized network activity. The vulnerability also demonstrates characteristics of CWE-129, insufficient input validation, as the system fails to properly validate the expiration state of flows during reconciliation operations. Organizations using affected OpenDayLight versions should implement immediate mitigations including upgrading to patched versions, implementing additional monitoring for anomalous flow behavior, and establishing more frequent reconciliation intervals to minimize the window of vulnerability.
The remediation strategy involves upgrading to OpenDayLight versions that have addressed this reconciliation flaw through proper timer management and flow state validation. Additionally, network administrators should implement comprehensive monitoring solutions that can detect unusual flow persistence patterns and alert on flows that remain active beyond expected expiration periods. Configuration changes may include implementing stricter flow timeout values and enhanced reconciliation policies that prevent the reinstallation of expired flows. Organizations should also conduct thorough network audits to identify and remove any existing flows that may have been affected by this vulnerability during the period when the system was running vulnerable versions.