& cplSiteName &

OpenDaylight Patches 'Serious Vulnerability' – After Four Months

Mitch Wagner
12/17/2014
50%
50%

There's bad news and worse news about OpenDaylight security.

The bad news: The open source OpenDaylight SDN controller has a security flaw that could allow an attacker to take over an SDN network.

The worse news: The security consultant who discovered the flaw reported it in August, but couldn't get anybody to listen to him.

But here's some better news: Patches are in the works, and the OpenDaylight community is working on a process for managing security bugs.

The "Netdump" security flaw was discovered by Gregory Pickett, part of the managed security services group for Hellfire Security. The vulnerability allows remote attackers to gain access to any file related to network configuration applications. Vulnerable files include hashed network credentials, which could be hacked to give attackers full control of the network, Pickett says.

After discovering the flaw, Pickett went to the OpenDaylight website looking for directions on how to report security issues or contact developers, but came up dry. He finally found a web form to contact OpenDaylight, and filled that out. "No one actually replied to me. I just got added to the mailing list," Pickett says.

He adds, "At first I was irritated, then I found it amusing. I'm still getting regular messages from them."


Want to know more about SDN? Visit Light Reading's SDN technology content channel.


With no response from OpenDaylight, Pickett presented a description of the flaw at the DEF CON security conference, which was August 7-10, and posted a description to the Bugtraq mailing list Aug. 11.

As part of the DEF CON talk, Pickett also looked into the Floodlight controller, an open source SDN controller affiliated with Big Switch Networks . Pickett found problems there too. "In the case of Floodlight, there didn't seem to be any controls in place at all," he said. The northbound API has no authentication, or encryption, which will allow anyone to take over full control of the network. Pickett says Big Switch promptly contacted him about the security vulnerability and told him that its implementation of Floodlight includes fixes for the security holes. (See Who Does What: SDN Controllers and Big Switch Intros Flagship Big Cloud Fabric – At Last.)

After the presentation, on August 16, Pickett was contacted by Grant Murphy of Red Hat Inc. (NYSE: RHT), who said he was trying to put a procedure in place for managing security in OpenDaylight, according to emails from Murphy that Pickett shared with Light Reading.

Open source strength
Despite the problems, OpenDaylight Project executive director Nicolas "Neela" Jacques says the incident demonstrates the strength of the open source process.

    This is the first time our security response system was tested and it brought to light one glaring issue, which is that the security alias wasn't broadly advertised on the main ODL site. (This has since been fixed: http://www.opendaylight.org/project/contact)

He adds:

Pickett found an issue and tried to share it through a web form which was inactive. It came on our radar [Monday] through our main community mailing list and as soon as it did, we fixed it.

This is a testament to why open source software works. Greg could see the code, saw there was an issue and flagged it through the web form which unfortunately was a dead link. There are a dozen other ways the info could have been shared directly with the community because--as you saw--once it got to them, it was immediately resolved.

Pickett says he tried querying on the community mailing list in August and received no response.

Jacques says:

Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
From The Founder
Cisco's Conrad Clemson, recently promoted to head up the company's Service Provider Apps & Platforms developments, talks to Light Reading's Founder and CEO Steve Saunders about how he's bringing cloud video, mobile and virtualization together to empower network operators.
Flash Poll
Live Streaming Video
Charting the CSP's Future
Six different communications service providers join to debate their visions of the future CSP, following a landmark presentation from AT&T on its massive virtualization efforts and a look back on where the telecom industry has been and where it's going from two industry veterans.
Shades of Ray
Why Analytics Is the Tech World's Digital Glue

3|27|17   |   02:20   |   (0) comments


It was obvious at the massive annual CeBIT enterprise tech trade show that the foundation for tech innovation right now is real-time analytics.
LRTV Custom TV
CommScope – Meeting the Demands of Tomorrow's Networks

3|24|17   |     |   (0) comments


Phil Sorksy, Vice President International at CommScope, discusses addressing the challenges faced by service providers today, and as future trends emerge.
LRTV Huawei Video Resource Center
AMS-IX & Huawei's OSN 902

3|24|17   |     |   (0) comments


Huawei shows how its OSN 902 platform helps the Amsterdam Internet exchange to connect the world using multiplexing.
LRTV Huawei Video Resource Center
Huawei's Smart Energy Innovation Center

3|24|17   |     |   (0) comments


In Nuremberg, Huawei showcases its latest capabilities in the digitalization of Internet resources, network infrastructure and intelligence at its Smart Energy Innovation Center.
Valley Wonk
OFC & Hyperscale: A Good Mix?

3|24|17   |   01:50   |   (0) comments


Cloud and telecom players want different types of equipment for their networks, as the chatter at OFC reveals.
LRTV Custom TV
Etisalat on NFV Journey

3|24|17   |   10:37   |   (0) comments


Etisalat is a service provider that prides itself on bringing innovative technologies to the markets it serves. It was one of the first operators to implement 3G and leads the pack in fiber penetration. Now, Esmaeel Al Hammadi, Etisalat's SVP of Network Development, explains the operator's journey to virtualization, beginning with the network core, as well as the ...
LRTV Huawei Video Resource Center
Huawei at CeBIT 2017: Day 3

3|22|17   |     |   (0) comments


Light Reading reports from CeBIT 2017 in Germany, where Huawei is exhibiting on the application of technologies and key business verticals such as transportation, smart city, manufacturing, media and finance.
LRTV Documentaries
No Regrets: Cox's Finkelstein on Fiber & More

3|22|17   |     |   (0) comments


At the Cable Next-Gen Technologies & Strategies event in Denver, Cox's Jeff Finkelstein examines the cable capex conundrum.
LRTV Documentaries
Cable Next-Gen: The 'Mile High' View From Denver

3|22|17   |   11:56   |   (0) comments


Alan Breznick kicks off the Cable Next-Gen Technologies & Strategies event in Denver, casting his thousand-yard stare over cable's current competitive landscape.
LRTV Huawei Video Resource Center
Huawei at CeBIT 2017: Day 2

3|21|17   |   2:27   |   (0) comments


Light Reading reports from CeBIT 2017 in Germany, where Huawei is exhibiting digital transformation solutions around IoT, smart data centers, OpenCloud ecosystem and its newly announced storage-as-a-service solution.
LRTV Custom TV
Driving Better Mobile Customer Experience While Transforming the Mobile Network

3|21|17   |   7:47   |   (0) comments


Light Reading talked to George McGregor of Citrix about the NetScaler Mobile Gateway - an intelligent traffic management solution which can markedly improve the customer experience provided by mobile operators, even when traffic is encrypted. Critical network services can be consolidated and virtualized using NetScaler. Because of the unique architecture, ...
LRTV Custom TV
Mastercard: What's Next for Mobile Payments?

3|21|17   |   7:49   |   (0) comments


2017 marks the fifth consecutive year for Mastercard at Mobile World Congress and it was a great time to reflect on the amazing advances the payments industry has made as well as discuss "What's Next' in the digital commerce future. We spoke to James Anderson, executive vice president of digital payments at MasterCard, about digital wallets to tokenization to ...
Upcoming Live Events
May 15-17, 2017, Austin Convention Center, Austin, TX
May 15, 2017, Austin Convention Center - Austin, TX
June 6, 2017, The Joule Hotel, Dallas, TX
All Upcoming Live Events
Infographics
With the mobile ecosystem becoming increasingly vulnerable to security threats, AdaptiveMobile has laid out some of the key considerations for the wireless community.
Hot Topics
High-Band 5G: Let's Address the Range Question, Shall We?
Dan Jones, Mobile Editor, 3/21/2017
Eurobites: A1, Nokia Turn It Up to 11
Paul Rainford, Assistant Editor, Europe, 3/22/2017
FTTH No Slam Dunk for Cable
Carol Wilson, Editor-at-large, 3/23/2017
Nokia & Facebook Push Undersea Fiber to 32 Tbit/s
Craig Matsumoto, Editor-in-Chief, Light Reading, 3/21/2017
Like Us on Facebook
Twitter Feed
BETWEEN THE CEOs - Executive Interviews
TEOCO Founder and CEO Atul Jain talks to Light Reading Founder and CEO Steve Saunders about the challenges around cost control and service monetization in the mobile and IoT sectors.
At MWC 2017, Qualcomm's CTO Matt Grob talks to Light Reading's CEO and Founder Steve Saunders about the progress being made in the development of the technologies and standards that will underpin 5G.
Animals with Phones
Neither Do We Click Here
Is that a prerequisite?
Live Digital Audio

Playing it safe can only get you so far. Sometimes the biggest bets have the biggest payouts, and that is true in your career as well. For this radio show, Caroline Chan, general manager of the 5G Infrastructure Division of the Network Platform Group at Intel, will share her own personal story of how she successfully took big bets to build a successful career, as well as offer advice on how you can do the same. We’ll cover everything from how to overcome fear and manage risk, how to be prepared for where technology is going in the future and how to structure your career in a way to ensure you keep progressing. Chan, a seasoned telecom veteran and effective risk taker herself, will also leave plenty of time to answer all your questions live on the air.