CVE-2019-11189

Name of the Vulnerable Software and Affected Versions ONOS versions prior to 2.1

Description The issue allows attackers to bypass network access control via data plane packet injection, specifically by exploiting the authentication bypass by spoofing in the access control and host mobility components. To exploit this, an attacker sends a gratuitous ARP reply, causing the host mobility application to remove existing access control flow denial rules. Since the access control application does not re-install flow deny rules, the attacker can bypass the intended access control policy.

Recommendations For ONOS versions prior to 2.1, consider disabling the host mobility application until a patch is available to prevent the removal of existing access control flow denial rules. Restrict access to the network to minimize the risk of exploitation by limiting data plane packet injection capabilities.