CVE-2024-51406
Description
Floodlight SDN Open Flow Controller v.1.2 has an issue that allows local hosts to build fake LLDP packets that allow specific clusters to be missed by Floodlight, which in turn leads to missed hosts inside and outside the cluster.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Local hosts can spoof LLDP packets to cause Floodlight SDN controller to ignore cluster updates, leading to denial of service.
Vulnerability
Floodlight SDN OpenFlow Controller v1.2 fails to validate the authenticity of LLDP packets. A local host can inject forged LLDP packets that create a fake external link within a selected cluster. Once this fake link is established, the controller ignores topology updates from other clusters, causing it to miss hosts both inside and outside the affected cluster [1].
Exploitation
An attacker with local network access to the same broadcast domain as the controller can exploit this vulnerability. The attacker first creates independent switch clusters (e.g., by exploiting a related cluster-splitting vulnerability [#869]). Then, using a Python script with Scapy, the attacker sends crafted LLDP packets that include a specific DPID and port number to establish a false external link. The script loops over port numbers (excluding ports 1 and 2) to maximize the chance of success [1].
Impact
Successful exploitation results in a denial-of-service condition: the controller loses visibility of hosts inside and outside the targeted cluster. This disrupts network topology awareness and can lead to incorrect forwarding decisions, effectively isolating parts of the network [1].
Mitigation
As of the publication date, no official patch has been released for Floodlight v1.2. The issue is tracked on the project's GitHub repository [1]. Users should monitor for updates or consider implementing LLDP packet validation and authentication mechanisms as a workaround. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Floodlight/SDN Open Flow Controllerdescription
- Range: v1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of LLDP packet authenticity allows a local host to inject fake external links, causing the controller to ignore topology updates from other clusters."
Attack vector
A local host on the same network as the Floodlight controller sends forged LLDP packets (EtherType 0x88cc) and BDDP packets (EtherType 0x8942) using Scapy [ref_id=1]. The attacker first creates an independent switch cluster (exploiting a separate cluster-splitting vulnerability), then runs a script that continuously sends crafted LLDP packets on a selected port to establish a fake external link within that cluster [ref_id=1]. Once the fake external link is established, the controller ignores topology updates from other clusters, causing those clusters to be missed — hosts in missed clusters can only communicate within their own switch, not across switches [ref_id=1]. The attack requires local network access to the controller's network and the ability to send raw Layer 2 frames.
Affected code
The issue is in Floodlight's logical topology discovery and cluster merging logic. The controller does not validate whether LLDP (Link Layer Discovery Protocol) packets originate from legitimate physical switches, allowing a local host to inject forged LLDP packets that create fake external links within a cluster [ref_id=1]. The root cause is that "the merging of the clusters into archipelagos did not take into account the fact that the external links are internal to the clusters, resulting in incorrect routing updates" [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory identifies the root cause as the cluster-merging logic failing to distinguish between legitimate external links and spoofed internal links [ref_id=1]. A proper fix would require Floodlight to validate that LLDP packets originate from known physical switches (e.g., by authenticating the source DPID against the controller's topology database) and to reject LLDP advertisements that claim external links between ports that are actually within the same cluster [ref_id=1].
Preconditions
- networkAttacker must have local network access to send raw Layer 2 frames to the Floodlight controller
- inputA separate cluster-splitting vulnerability (issue #869) must first be exploited to create independent switch clusters
- configThe controller must be running Floodlight SDN Open Flow Controller v.1.2 (master branch)
Reproduction
1. Start the controller and Mininet: `java -jar target/floodlight.jar` and `sudo mn --switch=ovsk,protocols=OpenFlow13 --topo tree,3 --controller remote` [ref_id=1]. 2. Exploit the cluster-splitting vulnerability (issue #869) to create independent switch clusters [ref_id=1]. 3. On host h1 (via xterm), run `env_set.py` which sends forged LLDP packets (EtherType 0x88cc) on ports 3-99 to establish a fake external link within the cluster [ref_id=1]. 4. On host h1 (via a second xterm), run `poc.py` which sends forged BDDP packets (EtherType 0x8942) every 15 seconds to maintain the spoofed link [ref_id=1]. 5. After the attack, hosts in other clusters can only communicate within their own switch, not across switches [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.