CVE-2024-29461
Description
An issue in Floodlight SDN OpenFlow Controller v.1.2 allows a remote attacker to cause a denial of service via the datapath id component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Floodlight SDN Controller v1.2 allows denial of service via datapath ID spoofing during switch handshake.
Vulnerability
Floodlight SDN OpenFlow Controller v1.2 lacks validation of datapath ID uniqueness during the switch handshake. A malicious switch can set its datapath ID to match an existing switch's ID, causing the controller to disconnect the legitimate switch. This is present in the datapath id handling logic [1][2].
Exploitation
An attacker with network access to the controller can connect a malicious OpenFlow switch. By sending a crafted FeaturesReply message with a datapath ID identical to an existing switch, the controller disconnects the original switch. No authentication is required; the attack is executed by running a proof-of-concept script [1][2].
Impact
Successful exploitation results in a denial of service by disconnecting legitimate switches from the controller, disrupting network operations and potentially causing widespread network outage.
Mitigation
As of the references, no official fix has been released. Users should monitor the Floodlight project for updates. No known workarounds are documented. The vulnerability is not listed in KEV.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Floodlight/Floodlight SDN OpenFlow Controllerdescription
- Range: = 1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing duplicate datapath ID validation in the controller handshake process allows a malicious switch to impersonate an existing switch and cause the original switch to be disconnected."
Attack vector
An attacker who can reach the Floodlight controller on the OpenFlow port (default 6653) sends a crafted OpenFlow handshake — a Hello message followed by a FeaturesReply containing a datapath ID that matches an existing, legitimate switch's datapath ID [ref_id=1][ref_id=2]. The controller accepts the duplicate ID and disconnects the original switch, causing a denial of service. The attacker can repeatedly reconnect with the same spoofed datapath ID to keep the legitimate switch offline [ref_id=2].
Affected code
The vulnerability lies in the Floodlight SDN controller's handshake process. When a new switch connects and presents a datapath ID that matches an already-connected switch, the controller disconnects the original switch rather than rejecting the duplicate. The specific code path is in the controller's switch connection handling logic, triggered during OpenFlow handshake message processing [ref_id=1][ref_id=2].
What the fix does
No patch is published in the provided bundle. The advisory describes the root cause: "when the new switch uses the datapath id that is already in use, the original switch will close the connection" [ref_id=2]. A proper fix would require the controller to check for duplicate datapath IDs during the handshake and reject the new connection instead of evicting the existing one.
Preconditions
- networkAttacker must have network access to the Floodlight controller's OpenFlow port (default 6653)
- configAt least one legitimate switch must already be connected to the controller with a known datapath ID
Reproduction
1. Start the Floodlight controller: `java -jar ./target/floodlight.jar` [ref_id=1][ref_id=2]. 2. Start Mininet with two switches: `sudo mn --switch=ovsk,protocols=OpenFlow13 --controller=remote,ip=0.0.0.0,port=6653 --topo linear,2` [ref_id=1][ref_id=2]. 3. Run the provided `poc.py` script which sends a crafted OpenFlow handshake (Hello, FeaturesReply with a datapath ID matching an existing switch, PortDescStatsReply, Barrier, GetConfigReply, Multipart messages, TableFeaturesStatsReply, and RoleRequest) to the controller [ref_id=1][ref_id=2]. 4. The original switch is disconnected; run `pingall` in Mininet to observe dropped connectivity [ref_id=1][ref_id=2].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.