OpenDaylight Service Function Chaining Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the OpenDaylight Service Function Chaining (SFC) Subproject, specifically in the Sodium-SR4 release and earlier. The issue arises from the improper resolution of names or references, allowing attackers to create naming collisions that disrupt network topology and service functions.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition by causing conflicts in the network topology, which disrupts normal service operations and flow management.

Reproduction

To reproduce this vulnerability, first, start the OpenDaylight controller with the SFC-OVS and SFC OpenFlow Renderer plugins enabled. Then, create a network topology using Mininet with Open vSwitch (OVS) switches and hosts. After validating the topology, deploy a complete service function chain (SFC) in the underlay network via RESTCONF. Once the SFC is active, an attacker can exploit the vulnerability by creating a new service function forwarder (SFF) with a name that conflicts with an existing one, thereby overwriting the original SFF's configuration and disrupting the service chain.