CVE-2022-24109 — MEDIUM (6.5)

Vulnerability Description

An issue was discovered in ONOS 2.5.1. To attack an intent installed by a normal user, a remote attacker can install a duplicate intent with a different key, and then remove the duplicate one. This will remove the flow rules of the intent, even though the intent still exists in the controller.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Opennetworking	Onos	2.5.1

Related Weaknesses (CWE)

CWE-400

References

https://wiki.onosproject.org/display/ONOS/Intent+FrameworkProduct
https://www.usenix.org/system/files/sec23fall-prepub-285_kim-jiwon.pdfExploitTechnical DescriptionThird Party Advisory
https://wiki.onosproject.org/display/ONOS/Intent+FrameworkProduct
https://www.usenix.org/system/files/sec23fall-prepub-285_kim-jiwon.pdfExploitTechnical DescriptionThird Party Advisory

FAQ

What is CVE-2022-24109?

CVE-2022-24109 is a vulnerability with a CVSS score of 6.5 (MEDIUM). An issue was discovered in ONOS 2.5.1. To attack an intent installed by a normal user, a remote attacker can install a duplicate intent with a different key, and then remove the duplicate one. This wi...

How severe is CVE-2022-24109?

CVE-2022-24109 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-24109?

Check the references section above for vendor advisories and patch information. Affected products include: Opennetworking Onos.