OpenDaylight Patches 'Serious Vulnerability' – After Four Months
There's bad news and worse news about OpenDaylight security.
The bad news: The open source OpenDaylight SDN controller has a security flaw that could allow an attacker to take over an SDN network.
The worse news: The security consultant who discovered the flaw reported it in August, but couldn't get anybody to listen to him.
But here's some better news: Patches are in the works, and the OpenDaylight community is working on a process for managing security bugs.
The "Netdump" security flaw was discovered by Gregory Pickett, part of the managed security services group for Hellfire Security. The vulnerability allows remote attackers to gain access to any file related to network configuration applications. Vulnerable files include hashed network credentials, which could be hacked to give attackers full control of the network, Pickett says.
After discovering the flaw, Pickett went to the OpenDaylight website looking for directions on how to report security issues or contact developers, but came up dry. He finally found a web form to contact OpenDaylight, and filled that out. "No one actually replied to me. I just got added to the mailing list," Pickett says.
He adds, "At first I was irritated, then I found it amusing. I'm still getting regular messages from them."
With no response from OpenDaylight, Pickett presented a description of the flaw at the DEF CON security conference, which was August 7-10, and posted a description to the Bugtraq mailing list Aug. 11.
As part of the DEF CON talk, Pickett also looked into the Floodlight controller, an open source SDN controller affiliated with Big Switch Networks . Pickett found problems there too. "In the case of Floodlight, there didn't seem to be any controls in place at all," he said. The northbound API has no authentication, or encryption, which will allow anyone to take over full control of the network. Pickett says Big Switch promptly contacted him about the security vulnerability and told him that its implementation of Floodlight includes fixes for the security holes. (See Who Does What: SDN Controllers and Big Switch Intros Flagship Big Cloud Fabric At Last.)
After the presentation, on August 16, Pickett was contacted by Grant Murphy of Red Hat Inc. (NYSE: RHT), who said he was trying to put a procedure in place for managing security in OpenDaylight, according to emails from Murphy that Pickett shared with Light Reading.
Open source strength
Despite the problems, OpenDaylight Project executive director Nicolas "Neela" Jacques says the incident demonstrates the strength of the open source process.
This is the first time our security response system was tested and it brought to light one glaring issue, which is that the security alias wasn't broadly advertised on the main ODL site. (This has since been fixed: http://www.opendaylight.org/project/contact)
Pickett found an issue and tried to share it through a web form which was inactive. It came on our radar [Monday] through our main community mailing list and as soon as it did, we fixed it.
This is a testament to why open source software works. Greg could see the code, saw there was an issue and flagged it through the web form which unfortunately was a dead link. There are a dozen other ways the info could have been shared directly with the community because--as you saw--once it got to them, it was immediately resolved.
Pickett says he tried querying on the community mailing list in August and received no response.
- BUG-2511 Fix XXE vulnerability in Netconf
- BUG-2511 Fix possible XXE vulnerability in restconf
- BUG-2511: disable external entitiy resolution with EXI
We feel fortunate that the security response process was tested this early on so we know how to better respond in the future.
The community has issued three patches to resolve the bug, says an OpenDaylight spokeswoman:
Next Page: Production-Ready?