[AAA-21] Security Issue in Restconf: Restconf config output produces user name and password in clear text Created: 24/Oct/14 Updated: 21/Mar/19 Resolved: 07/Feb/18 |
|
| Status: | Resolved |
| Project: | aaa |
| Component/s: | General |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | ||
| Reporter: | Balaji Varadaraju | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| External issue ID: | 2251 |
| Description |
|
I mounted couple of Netconf capable devices onto the ODL controller. Once I did that I wanted to get the config output of the For the first one I issued the following restconf URL. This resulted in some configuration information of the mounted devices including the user name and password to access them. However the user name and password is in clear text which is a big security threat. |
| Comments |
| Comment by Tony Tkacik [ 27/Oct/14 ] |
|
Restconf is pure pass-thru function and has no knowledge which For config subsystem you could open enhancement to secure it on controller side. For leaking passwords from remote netconf devices it is security issue in that devices. |
| Comment by Tony Tkacik [ 19/Mar/15 ] |
|
THis seems as responsibility of AAA Authz Data Broker, which should filter out these leaves based on given authorization. As I mentioned before Restconf is pure pass-thru so it does do any processing |
| Comment by Ryan Goulding [ 18/Dec/15 ] |
|
This is a new feature request, as right now the AuthZ Broker Facade only operates on URL/DOM operation input. This is a valuable use case though, and will be prioritized during Boron planning. |
| Comment by Ryan Goulding [ 07/Feb/18 ] |
|
Fixed in NETCONF by providing encryption option there. |