CVE-2018-1000163

Vulnerability

Floodlight SDN controller version 1.2 and earlier contains a stored cross-site scripting (XSS) vulnerability in the web console. The software does not sanitize the manufacturerDescription field received from OpenFlow switches. In net/floodlightcontroller/core/SwitchDescription.java:77-89, the SwitchDescription constructor directly assigns the manufacturer description from the OpenFlow OFDescStatsReply without validation. Later, in the web console (ui/js/models/switchmodel.js:35-42), this field is displayed without escaping, allowing arbitrary HTML and JavaScript to be injected [1].

Exploitation

An attacker must control or compromise an OpenFlow switch capable of sending crafted OFDescStatsReply messages with malicious JavaScript in the manufacturerDescription field. When an administrator browses the Floodlight web console and views the switch list or details, the injected script executes in the context of the administrator's session. No prior authentication is required from the attacker if they can send OpenFlow messages to the controller, which is typical for switches in the network [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the administrator's browser. This can lead to session hijacking, defacement, or redirection to malicious sites. Depending on the administrator's privileges, the attacker may also perform actions on the controller via API calls, potentially compromising the entire SDN network [1].

Mitigation

As of the publication date (2018-04-18), no official patch was available. The vulnerability exists in Floodlight v1.2 and earlier. Users should upgrade to a version with proper input validation and output encoding. A workaround is to restrict access to the Floodlight web console to trusted administrators only and avoid exposing it to untrusted networks. The issue should be fixed by sanitizing the manufacturerDescription field upon receipt and escaping output in the web console [1].