& cplSiteName &

OpenDaylight Patches 'Serious Vulnerability' – After Four Months

Mitch Wagner
12/17/2014
50%
50%

There's bad news and worse news about OpenDaylight security.

The bad news: The open source OpenDaylight SDN controller has a security flaw that could allow an attacker to take over an SDN network.

The worse news: The security consultant who discovered the flaw reported it in August, but couldn't get anybody to listen to him.

But here's some better news: Patches are in the works, and the OpenDaylight community is working on a process for managing security bugs.

The "Netdump" security flaw was discovered by Gregory Pickett, part of the managed security services group for Hellfire Security. The vulnerability allows remote attackers to gain access to any file related to network configuration applications. Vulnerable files include hashed network credentials, which could be hacked to give attackers full control of the network, Pickett says.

After discovering the flaw, Pickett went to the OpenDaylight website looking for directions on how to report security issues or contact developers, but came up dry. He finally found a web form to contact OpenDaylight, and filled that out. "No one actually replied to me. I just got added to the mailing list," Pickett says.

He adds, "At first I was irritated, then I found it amusing. I'm still getting regular messages from them."


Want to know more about SDN? Visit Light Reading's SDN technology content channel.


With no response from OpenDaylight, Pickett presented a description of the flaw at the DEF CON security conference, which was August 7-10, and posted a description to the Bugtraq mailing list Aug. 11.

As part of the DEF CON talk, Pickett also looked into the Floodlight controller, an open source SDN controller affiliated with Big Switch Networks . Pickett found problems there too. "In the case of Floodlight, there didn't seem to be any controls in place at all," he said. The northbound API has no authentication, or encryption, which will allow anyone to take over full control of the network. Pickett says Big Switch promptly contacted him about the security vulnerability and told him that its implementation of Floodlight includes fixes for the security holes. (See Who Does What: SDN Controllers and Big Switch Intros Flagship Big Cloud Fabric – At Last.)

After the presentation, on August 16, Pickett was contacted by Grant Murphy of Red Hat Inc. (NYSE: RHT), who said he was trying to put a procedure in place for managing security in OpenDaylight, according to emails from Murphy that Pickett shared with Light Reading.

Open source strength
Despite the problems, OpenDaylight Project executive director Nicolas "Neela" Jacques says the incident demonstrates the strength of the open source process.

    This is the first time our security response system was tested and it brought to light one glaring issue, which is that the security alias wasn't broadly advertised on the main ODL site. (This has since been fixed: http://www.opendaylight.org/project/contact)

He adds:

Pickett found an issue and tried to share it through a web form which was inactive. It came on our radar [Monday] through our main community mailing list and as soon as it did, we fixed it.

This is a testament to why open source software works. Greg could see the code, saw there was an issue and flagged it through the web form which unfortunately was a dead link. There are a dozen other ways the info could have been shared directly with the community because--as you saw--once it got to them, it was immediately resolved.

Pickett says he tried querying on the community mailing list in August and received no response.

Jacques says:

Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Featured Video
From The Founder
Light Reading founder Steve Saunders grills Cisco's Roland Acra on how he's bringing automation to life inside the data center.
Flash Poll
Upcoming Live Events
February 26-28, 2018, Santa Clara Convention Center, CA
March 20-22, 2018, Denver Marriott Tech Center
April 4, 2018, The Westin Dallas Downtown, Dallas
May 14-17, 2018, Austin Convention Center
All Upcoming Live Events
Infographics
SmartNICs aren't just about achieving scale. They also have a major impact in reducing CAPEX and OPEX requirements.
Hot Topics
Project AirGig Goes Down to Georgia
Dan Jones, Mobile Editor, 12/13/2017
Here's Pai in Your Eye
Alan Breznick, Cable/Video Practice Leader, Light Reading, 12/11/2017
Verizon's New Fios TV Is No More
Mari Silbey, Senior Editor, Cable/Video, 12/12/2017
Ericsson & Samsung to Supply Verizon With Fixed 5G Gear
Dan Jones, Mobile Editor, 12/11/2017
Juniper Turns Contrail Into a Platform for Multicloud
Craig Matsumoto, Editor-in-Chief, Light Reading, 12/12/2017
Animals with Phones
Don't Fall Asleep on the Job! Click Here
Live Digital Audio

Understanding the full experience of women in technology requires starting at the collegiate level (or sooner) and studying the technologies women are involved with, company cultures they're part of and personal experiences of individuals.

During this WiC radio show, we will talk with Nicole Engelbert, the director of Research & Analysis for Ovum Technology and a 23-year telecom industry veteran, about her experiences and perspectives on women in tech. Engelbert covers infrastructure, applications and industries for Ovum, but she is also involved in the research firm's higher education team and has helped colleges and universities globally leverage technology as a strategy for improving recruitment, retention and graduation performance.

She will share her unique insight into the collegiate level, where women pursuing engineering and STEM-related degrees is dwindling. Engelbert will also reveal new, original Ovum research on the topics of artificial intelligence, the Internet of Things, security and augmented reality, as well as discuss what each of those technologies might mean for women in our field. As always, we'll also leave plenty of time to answer all your questions live on the air and chat board.

Like Us on Facebook
Twitter Feed