CVE-2024-34489

The vulnerability resides in the parser method of the OFPHello class within Ryu's OFPHello parser (e.g., ofproto_v1_3_parser.py). When processing an OpenFlow Hello message, the parser iterates over a list of elements using a while loop that increments an offset by the element's length field. If an attacker supplies a zero-length element, the offset never advances, causing the loop to iterate infinitely [1][3]. This effectively halts the controller's processing of any further messages.

Exploitation is straightforward and requires no authentication. An attacker simply sends a specially crafted OpenFlow Hello packet with a zero-length element to the controller's OpenFlow port (default 6633). Since the Hello message is the first message exchanged during OpenFlow handshake, the attack can be launched before any legitimate connection is fully established, making it trivially easy to trigger [3].

Impact

A successful attack results in a complete denial of service: the Ryu controller enters an infinite loop, consuming CPU resources and becoming unresponsive to all network operations. Because the loop occurs in the parser of the very first handshake message, no other OpenFlow messages are processed, and the controller cannot recover without manual intervention or restart [1][3].

Mitigation

As of the disclosure, the Ryu project is not currently maintained (see the project README) [2]. No official patch has been released. Users are advised to migrate to maintained alternatives such as OpenStack's os-ken project [2]. There is no known workaround other than avoiding exposure of the Ryu controller to untrusted networks.