1222495 – (CVE-2024-28732) VUL-0: CVE-2024-28732: python-ryu: infinite loops in OpenFlow parsers

Bug 1222495 (CVE-2024-28732) - VUL-0: CVE-2024-28732: python-ryu: infinite loops in OpenFlow parsers

Summary: VUL-0: CVE-2024-28732: python-ryu: infinite loops in OpenFlow parsers

Status:	RESOLVED FIXED

Alias:	CVE-2024-28732

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Cloud Bugs
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/400737/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-28732:7.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-04-08 19:14 UTC by SMASH SMASH
Modified:	2024-04-12 13:42 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
parse error exception (2.40 KB, text/plain) 2024-04-09 11:05 UTC, Darragh O'Reilly	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-04-08 19:14:24 UTC

An issue was discovered in OFPMatch in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-28732
https://www.cve.org/CVERecord?id=CVE-2024-28732
https://gist.github.com/ErodedElk/1133d64dde2d92393a065edc9b243792
https://github.com/faucetsdn/ryu/issues/188

Comment 2 Camila Camargo de Matos 2024-04-08 19:18:29 UTC

No patch for this issue seems to be available as of 2024-04-08. In the upstream README file it is possible to confirm that there are no current maintainers for this package ('PLEASE READ: RYU NOT CURRENTLY MAINTAINED').

Comment 3 Darragh O'Reilly 2024-04-09 11:03:26 UTC

Can't reproduce on devstack rocky. The openflow controller is the neutron-openvswitch-agent and it listens on 127.0.0.1:6633 - so not accessible to remote attackers. 

The packet in the reproducer causes a parse exception which causes the loop to exit. There is a bug in the exception handler, but no infinite loop.

Comment 4 Darragh O'Reilly 2024-04-09 11:05:26 UTC

Created attachment 874160 [details]
parse error exception

Note: the neutron-openvswitch-agent continues to work fine after this. There is no denial of service, and no pegged cpus.

Comment 5 Darragh O'Reilly 2024-04-09 14:40:38 UTC

Checked soc8 and soc9. Both listen on localhost:6633. The reproducer in https://github.com/faucetsdn/ryu/issues/188 does not cause an infinite loop or denial of service of the neutron-openvswitch-agent openflow controller.