Security vulnerabilities fixed in ONOS

Description

It was found that ONOS allows the upload and execution of applications via the ONOS UI without authentication.  

Affected versions

ONOS 1.8.0, 1.9.0 are confirmed to be affected.

Patch commit(s)

https://gerrit.onosproject.org/#/c/13830/

Mathias Morbitzer (Fraunhofer AISEC), Johann Vierthaler (Fraunhofer AISEC) in cooperation with Marcel Winandy (Huawei)

Description

It was found that ONOS allows the use of websockets without authentication. This allows unauthenticated users to execute the functionalities provided by websocket endpoints. 

Affected versions

ONOS 1.8.0, 1.9.0 are confirmed to be affected.

Patch commit(s)

https://gerrit.onosproject.org/#/c/14261/

 

Mathias Morbitzer (Fraunhofer AISEC), Johann Vierthaler (Fraunhofer AISEC) in cooperation with Marcel Winandy (Huawei)

Description

It was found that ONOS seems to encounter severe problems with its storage facilities once a valid json with very long strings is uploaded.  After posting such a request, ONOS is unable to perform a variety of different tasks (e.g., registering a new device, performing the wipe-out command, etc.).

Affected versions

ONOS 1.8.0, 1.9.0 are confirmed to be affected.

Patch commit(s)

https://gerrit.onosproject.org/#/c/14351/

https://gerrit.onosproject.org/#/c/14466/

Mathias Morbitzer (Fraunhofer AISEC), Johann Vierthaler (Fraunhofer AISEC) in cooperation with Marcel Winandy (Huawei)

Description

It is possible to add new devices or hosts via the REST interface. It was found that if javascript code is used in the parameters, such as serial, swVersion, hwVersion or manufacturer, it is later executed when a user visits, e.g., the topology in the GUI and clicks on the device-icon.

Affected versions

ONOS 1.8.0, 1.9.0 are confirmed to be affected.

Patch commit(s)

https://gerrit.onosproject.org/#/c/14170/

https://gerrit.onosproject.org/#/c/14182/

Mathias Morbitzer (Fraunhofer AISEC), Johann Vierthaler (Fraunhofer AISEC) in cooperation with Marcel Winandy (Huawei)

Description

It was found that the ONOS core did not properly protect itself from exceptions thrown in application packet processors. Exceptions thrown by applications were not caught and handled, which would result in the relevant switch being disconnected because an exception occurred in an I/O thread. An application could exhibit behavior (either intentionally or unintentionally) which would allow a remote unauthenticated attacker to perform a denial-of-service (DoS) attack by causing ONOS to disconnect switches.

Affected versions

ONOS 1.3.0 Drake is confirmed to be affected.

Patch commit(s)

https://gerrit.onosproject.org/#/c/6137/

This issue was reported by Kashyap Thimmaraju (Technische Universität Berlin & T-Labs Berlin), Liron Schiff (Tel Aviv University), and Dr. Stefan Schmid (Technische Universität Berlin & T-Labs Berlin).

Description

It was found that the packet deserializers in ONOS would throw exceptions when handling malformed, truncated or maliciously-crafted packets. The exceptions were not caught and handled, which would result in the relevant switch being disconnected because an exception occurred in an I/O thread. A remote unauthenticated attacker could use this flaw to perform a denial-of-service (DoS) attack by causing ONOS to disconnect switches. See ONOS-605 for more details.

Affected versions

ONOS 1.0.0 Avocet is confirmed to be affected.

Patch commit(s)

https://gerrit.onosproject.org/#/c/2207/