CVE-2024-51407
Description
Floodlight SDN OpenFlow Controller v.1.2 has an issue that allows local hosts to construct false broadcast ports causing inter-host communication anomalies.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Floodlight SDN Controller v1.2 allows local hosts to forge LLDP packets, creating false broadcast ports and disrupting inter-host communication.
Vulnerability
Floodlight SDN OpenFlow Controller v1.2 has a vulnerability in its topology discovery mechanism where the controller trusts LLDP (Link Layer Discovery Protocol) messages without sufficient validation. A local host can inject forged LLDP packets that spoof the chassis ID and port information, causing the controller to construct false broadcast ports. This affects all Floodlight deployments using the default LLDP-based discovery, as described in [1] and [2].
Exploitation
An attacker must have network access to a switch that forwards LLDP packets to the Floodlight controller. The attacker runs a Python script (e.g., poc.py from [2]) that sends crafted LLDP packets with arbitrary chassis IDs and port numbers using Scapy. The script iterates over port ranges and continuously transmits these packets, causing the controller to update its topology with the spoofed information.
Impact
Successful exploitation creates false broadcast ports that split the network cluster (archipelago). Hosts connected to switches that accept the spoofed ports become unable to communicate with hosts on other switches, resulting in inter-host communication anomalies. The impact is a denial of service on network connectivity; no data is exfiltrated or corrupted, but legitimate traffic is disrupted.
Mitigation
As of the publication date (2024-11-01), no official patch has been released by the Floodlight project [1]. Operators should restrict physical or logical access to the network to prevent untrusted hosts from sending LLDP packets. Alternatively, deploy network-level filtering to validate LLDP messages or disable LLDP-based topology discovery if not required. The issue is tracked in [2], and users should monitor for updates.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Floodlight/SDN OpenFlow Controllerdescription
- Range: =1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of LLDP packet source allows a host to forge a switch's broadcast port, corrupting the controller's topology graph."
Attack vector
An attacker on a local host sends forged LLDP packets (protocol 0x88cc) with a spoofed chassis ID matching a real switch's DPID and a fabricated port number. The controller accepts these packets and creates a false broadcast port entry in its topology, causing the network graph (archipelago) to split. Hosts in the split-off portion lose connectivity to the rest of the network [ref_id=1]. The PoC script sends such packets in a loop across port ranges to trigger the split.
Affected code
The issue is in Floodlight's LLDP processing logic, which does not validate the source of LLDP packets. The controller accepts LLDP frames from any host, not only from trusted switches, allowing a host to forge a broadcast port by crafting a malicious LLDP packet with a spoofed chassis ID (DPID) and port number [ref_id=1].
What the fix does
No patch has been published for this issue. The advisory [ref_id=1] describes the bug but does not include a fix commit. Remediation would require the controller to authenticate or validate the source of LLDP packets — for example, by only accepting LLDP frames from directly connected switch ports, or by cryptographically verifying the origin of topology discovery messages.
Preconditions
- networkAttacker must have a host connected to a switch in the Floodlight-controlled network
- inputAttacker must be able to send raw Ethernet frames (e.g., via scapy)
Reproduction
1. Start the Floodlight controller and Mininet: `java -jar target/floodlight.jar` and `sudo mn --switch=ovsk,protocols=OpenFlow13 --topo tree,3 --controller remote`. 2. On host h1, run `xterm h1` then `python3 poc.py`. 3. The PoC script sends forged LLDP packets in a loop, spoofing chassis ID 00:00:00:00:00:00:00:03 and varying port numbers. 4. After execution, hosts connected to switch S3 (ChassisID 00:00:00:00:00:00:00:03) lose communication with outside hosts [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.