[SDNINTRFAC-14] SQL injection in the component database(SQLite) without authenticating to the controller or SDNInterfaceapp. Created: 08/May/18  Updated: 18/May/18  Resolved: 18/May/18

Status: Resolved
Project: sdninterfaceapp
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Low
Reporter: Luke Hinds Assignee: Luke Hinds
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

#security-status: confirmed

Please Note: This issue is a possible security vulnerability, do not discuss outside of this Jira or stage any patches on gerrit until the embargo process reaches that stage.
 
I am Feng Xiao and Jianwei Huang, from Wuhan University.
I am writing to report a vulnerability in one of the components of Opendaylight, SDNInterfaceapp (SDNI).
With this bug, attackers can SQL inject the component's database(SQLite)  without authenticating to the controller or SDNInterfaceapp.
 
The bug is in /impl/src/main/java/org/opendaylight/sdninterfaceapp/impl/database/SdniDataBase.java (line 373~391)
 
As we can see, the SDNI concats port information to build an insert SQL query, and it executes the query in SQLite.
However, in line 386, the portName is a string that can be customized by switches. Since SQLite supports multiple sql queries in one run,
attackers can customize the port name to inject another SQL if they compromise or forge a switch.
 
For example, he can set portName as:
");drop table NAME;//
 

 Comments   
Comment by Luke Hinds [ 18/May/18 ]

Released as security note, as the SDNI project is no longer maintained.

Generated at Wed Feb 07 20:37:49 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.