[opendaylight-security-note]: SDNInterfaceapp SQL injection

[Luke Hinds <lhinds () redhat com>]

OpenDayLight Security Note

cve: CVE-2018-1132

jira: https://jira.opendaylight.org/browse/SDNINTRFAC-14

advisory-date: 18/05/18

Summary
-------

SQL injection in the component database(SQLite) without authenticating
to the controller or SDNInterfaceapp.

Discussion
----------

Feng Xiao and Jianwei Huang from Wuhan University discovered a
vulnerability in SDNInterfaceapp (SDNI).

Attackers can SQL inject the component's database(SQLite) without
authenticating to the controller or SDNInterfaceapp.

The bug can be found in
/impl/src/main/java/org/opendaylight/sdninterfaceapp/impl/database/SdniDataBase.java
(line 373~391)

The SDNI concats port information to build an insert SQL query, and it
executes the query in SQLite.

However, in line 386, the portName is a string that can be customized by
switches. Since SQLite supports multiple sql queries in one run,
attackers can customize the port name to inject another SQL if they
compromise or forge a switch.

For example, set portName as:
");drop table NAME;//

Recommended Actions
-------------------

The SDNI project is no longer maintained nor developed since the Carbon
release of OpenDayLight and as the aforementioned vulnerability was
reported after Carbons last service release (SR4) was shipped, the
decision was made to not release a patch.

The security team instead recommends that users upgrade to a later release.

Luke Hinds
OpenDayLight Security Manager

Attachment: signature.asc
Description: OpenPGP digital signature