& cplSiteName &

OpenDaylight Patches 'Serious Vulnerability' – After Four Months

Mitch Wagner

There's bad news and worse news about OpenDaylight security.

The bad news: The open source OpenDaylight SDN controller has a security flaw that could allow an attacker to take over an SDN network.

The worse news: The security consultant who discovered the flaw reported it in August, but couldn't get anybody to listen to him.

But here's some better news: Patches are in the works, and the OpenDaylight community is working on a process for managing security bugs.

The "Netdump" security flaw was discovered by Gregory Pickett, part of the managed security services group for Hellfire Security. The vulnerability allows remote attackers to gain access to any file related to network configuration applications. Vulnerable files include hashed network credentials, which could be hacked to give attackers full control of the network, Pickett says.

After discovering the flaw, Pickett went to the OpenDaylight website looking for directions on how to report security issues or contact developers, but came up dry. He finally found a web form to contact OpenDaylight, and filled that out. "No one actually replied to me. I just got added to the mailing list," Pickett says.

He adds, "At first I was irritated, then I found it amusing. I'm still getting regular messages from them."

Want to know more about SDN? Visit Light Reading's SDN technology content channel.

With no response from OpenDaylight, Pickett presented a description of the flaw at the DEF CON security conference, which was August 7-10, and posted a description to the Bugtraq mailing list Aug. 11.

As part of the DEF CON talk, Pickett also looked into the Floodlight controller, an open source SDN controller affiliated with Big Switch Networks . Pickett found problems there too. "In the case of Floodlight, there didn't seem to be any controls in place at all," he said. The northbound API has no authentication, or encryption, which will allow anyone to take over full control of the network. Pickett says Big Switch promptly contacted him about the security vulnerability and told him that its implementation of Floodlight includes fixes for the security holes. (See Who Does What: SDN Controllers and Big Switch Intros Flagship Big Cloud Fabric – At Last.)

After the presentation, on August 16, Pickett was contacted by Grant Murphy of Red Hat Inc. (NYSE: RHT), who said he was trying to put a procedure in place for managing security in OpenDaylight, according to emails from Murphy that Pickett shared with Light Reading.

Open source strength
Despite the problems, OpenDaylight Project executive director Nicolas "Neela" Jacques says the incident demonstrates the strength of the open source process.

    This is the first time our security response system was tested and it brought to light one glaring issue, which is that the security alias wasn't broadly advertised on the main ODL site. (This has since been fixed: http://www.opendaylight.org/project/contact)

He adds:

Pickett found an issue and tried to share it through a web form which was inactive. It came on our radar [Monday] through our main community mailing list and as soon as it did, we fixed it.

This is a testament to why open source software works. Greg could see the code, saw there was an issue and flagged it through the web form which unfortunately was a dead link. There are a dozen other ways the info could have been shared directly with the community because--as you saw--once it got to them, it was immediately resolved.

Pickett says he tried querying on the community mailing list in August and received no response.

Jacques says:

Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Featured Video
From The Founder
Light Reading founder Steve Saunders recently visited the University of North Carolina Charlotte (UNCC) where Cisco's Tetration application is providing data center analytics, simplifying SDN, helping with cloud migration and overseeing white-list security policy.
Flash Poll
Upcoming Live Events
March 20-22, 2018, Denver Marriott Tech Center
March 22, 2018, Denver, Colorado | Denver Marriott Tech Center
March 28, 2018, Kansas City Convention Center
April 4, 2018, The Westin Dallas Downtown, Dallas
April 9, 2018, Las Vegas Convention Center
May 14-16, 2018, Austin Convention Center
May 14, 2018, Brazos Hall, Austin, Texas
September 24-26, 2018, Westin Westminster, Denver
October 9, 2018, The Westin Times Square, New York
October 23, 2018, Georgia World Congress Centre, Atlanta, GA
November 7-8, 2018, London, United Kingdom
November 8, 2018, The Montcalm by Marble Arch, London
November 15, 2018, The Westin Times Square, New York
December 4-6, 2018, Lisbon, Portugal
All Upcoming Live Events
Hot Topics
AT&T Likens DoJ Suit to Shaved Persian Cat
Mari Silbey, Senior Editor, Cable/Video, 3/12/2018
Trump Blocks Broadcom's Qualcomm Acquisition
Dan Jones, Mobile Editor, 3/12/2018
John Deere Bets the Farm on AI, IoT
Scott Ferguson, Editor, Enterprise Cloud, 3/12/2018
Rumor Mill: SoftBank Still Eyeing Charter
Mari Silbey, Senior Editor, Cable/Video, 3/12/2018
Animals with Phones
Live Digital Audio

A CSP's digital transformation involves so much more than technology. Crucial – and often most challenging – is the cultural transformation that goes along with it. As Sigma's Chief Technology Officer, Catherine Michel has extensive experience with technology as she leads the company's entire product portfolio and strategy. But she's also no stranger to merging technology and culture, having taken a company — Tribold — from inception to acquisition (by Sigma in 2013), and she continues to advise service providers on how to drive their own transformations. This impressive female leader and vocal advocate for other women in the industry will join Women in Comms for a live radio show to discuss all things digital transformation, including the cultural transformation that goes along with it.

Like Us on Facebook
Twitter Feed