Uploaded image for project: 'sdninterfaceapp'
  1. sdninterfaceapp
  2. SDNINTRFAC-14

SQL injection in the component database(SQLite) without authenticating to the controller or SDNInterfaceapp.

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Low
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:

      Description

      #security-status: confirmed

      Please Note: This issue is a possible security vulnerability, do not discuss outside of this Jira or stage any patches on gerrit until the embargo process reaches that stage.
       
      I am Feng Xiao and Jianwei Huang, from Wuhan University.
      I am writing to report a vulnerability in one of the components of Opendaylight, SDNInterfaceapp (SDNI).
      With this bug, attackers can SQL inject the component's database(SQLite)  without authenticating to the controller or SDNInterfaceapp.
       
      The bug is in /impl/src/main/java/org/opendaylight/sdninterfaceapp/impl/database/SdniDataBase.java (line 373~391)
       
      As we can see, the SDNI concats port information to build an insert SQL query, and it executes the query in SQLite.
      However, in line 386, the portName is a string that can be customized by switches. Since SQLite supports multiple sql queries in one run,
      attackers can customize the port name to inject another SQL if they compromise or forge a switch.
       
      For example, he can set portName as:
      ");drop table NAME;//
       

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            • Assignee:
              lukehinds Luke Hinds
              Reporter:
              lukehinds Luke Hinds
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: