The Netdump security flaw, first reported in August, can allow an attacker to take over an SDN network.

Mitch Wagner, Executive Editor, Light Reading

December 17, 2014

5 Min Read
OpenDaylight Patches 'Serious Vulnerability' – After Four Months

There's bad news and worse news about OpenDaylight security.The bad news: The open source OpenDaylight SDN controller has a security flaw that could allow an attacker to take over an SDN network.The worse news: The security consultant who discovered the flaw reported it in August, but couldn't get anybody to listen to him.But here's some better news: Patches are in the works, and the OpenDaylight community is working on a process for managing security bugs.The "Netdump" security flaw was discovered by Gregory Pickett, part of the managed security services group for Hellfire Security. The vulnerability allows remote attackers to gain access to any file related to network configuration applications. Vulnerable files include hashed network credentials, which could be hacked to give attackers full control of the network, Pickett says.After discovering the flaw, Pickett went to the OpenDaylight website looking for directions on how to report security issues or contact developers, but came up dry. He finally found a web form to contact OpenDaylight, and filled that out. "No one actually replied to me. I just got added to the mailing list," Pickett says.He adds, "At first I was irritated, then I found it amusing. I'm still getting regular messages from them."Want to know more about SDN? Visit Light Reading's SDN technology content channel.With no response from OpenDaylight, Pickett presented a description of the flaw at the DEF CON security conference, which was August 7-10, and posted a description to the Bugtraq mailing list Aug. 11.As part of the DEF CON talk, Pickett also looked into the Floodlight controller, an open source SDN controller affiliated with Big Switch Networks . Pickett found problems there too. "In the case of Floodlight, there didn't seem to be any controls in place at all," he said. The northbound API has no authentication, or encryption, which will allow anyone to take over full control of the network. Pickett says Big Switch promptly contacted him about the security vulnerability and told him that its implementation of Floodlight includes fixes for the security holes. (See Who Does What: SDN Controllers and Big Switch Intros Flagship Big Cloud Fabric – At Last.)After the presentation, on August 16, Pickett was contacted by Grant Murphy of Red Hat Inc. (NYSE: RHT), who said he was trying to put a procedure in place for managing security in OpenDaylight, according to emails from Murphy that Pickett shared with Light Reading.Open source strengthDespite the problems, OpenDaylight Project executive director Nicolas "Neela" Jacques says the incident demonstrates the strength of the open source process.This is the first time our security response system was tested and it brought to light one glaring issue, which is that the security alias wasn't broadly advertised on the main ODL site. (This has since been fixed: adds:Pickett found an issue and tried to share it through a web form which was inactive. It came on our radar [Monday] through our main community mailing list and as soon as it did, we fixed it.This is a testament to why open source software works. Greg could see the code, saw there was an issue and flagged it through the web form which unfortunately was a dead link. There are a dozen other ways the info could have been shared directly with the community because--as you saw--once it got to them, it was immediately resolved.Pickett says he tried querying on the community mailing list in August and received no response.Jacques says:We feel fortunate that the security response process was tested this early on so we know how to better respond in the future.The community has issued three patches to resolve the bug, says an OpenDaylight spokeswoman:BUG-2511 Fix XXE vulnerability in NetconfBUG-2511 Fix possible XXE vulnerability in restconfBUG-2511: disable external entitiy resolution with EXINext Page: Production-Ready?Production-ready?In light of the flaw, is OpenDaylight production-ready?Says Jacques: "The second release of ODL that came out in September is progressing down the path of becoming production-ready and has been integrated by over a dozen commercial suppliers into their solutions. We expect to see more of this in 2015." OpenDaylight Project released its second, Helium build in September. The Lithium release is due next year. (See OpenDaylight Releases Major 'Helium' Upgrade.)David Jorm, a member of the ODL community, says: "Strictly from a security perspective, I'd say [OpenDaylight] isn't entirely production-ready yet. There are insecure default settings, incomplete security features, and as noted above a lack of security response processes. My personal opinion is that the Lithium release is likely to be more production-ready, and I would be quite surprised if any large production deployments are rolled out before Lithium shipped (again, just my opinion, not backed by any hard data)."A "thorough analysis of OpenDaylight security was performed" in May, Jorm says in an email on the OpenDaylight community list Monday. The results are on the OpenDaylight Wiki. "This includes many good suggestions, but unfortunately few of them have been implemented," Jorm says. The organization needs a mechanism to report security bugs and problems, and a vulnerability management team similar to OpenStack.The Netdump bug, which Jorm refers to as a "rather serious XXE vulnerability ... seems to have been ignored entirely" after it was reported in August, Jorm says.Red Hat's Murphy proposed a security response process for ODL, which got some discussion, and then "stalled," Jorm says.I think the sequence of events noted above tells a clear but troubling story. The vendors contributing to ODL are well aware that security is a top priority for the project, and high-level efforts have been undertaken to analyze the attack surface and implement a security response process.However, these efforts have stalled, with the fact a serious vulnerability went totally ignored for 4+ months being clear evidence that something is broken.Jorm, a product security engineer at IIX, an Internet peering company, volunteered to "drive Grant's plan to implementation."— Mitch Wagner,  , West Coast Bureau Chief, Light Reading. Got a tip about SDN or NFV? Send it to [email protected].

About the Author(s)

Mitch Wagner

Executive Editor, Light Reading

San Diego-based Mitch Wagner is many things. As well as being "our guy" on the West Coast (of the US, not Scotland, or anywhere else with indifferent meteorological conditions), he's a husband (to his wife), dissatisfied Democrat, American (so he could be President some day), nonobservant Jew, and science fiction fan. Not necessarily in that order.

He's also one half of a special duo, along with Minnie, who is the co-habitor of the West Coast Bureau and Light Reading's primary chewer of sticks, though she is not the only one on the team who regularly munches on bark.

Wagner, whose previous positions include Editor-in-Chief at Internet Evolution and Executive Editor at InformationWeek, will be responsible for tracking and reporting on developments in Silicon Valley and other US West Coast hotspots of communications technology innovation.

Beats: Software-defined networking (SDN), network functions virtualization (NFV), IP networking, and colored foods (such as 'green rice').

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like