Impact
An attacker can gain full administrative access to the OpenDaylight controller by providing any arbitrary username and password [S2]. This bypasses all intended access controls, allowing for complete compromise of the SDN (Software Defined Networking) infrastructure managed by the controller [S3].
Root Cause
The vulnerability, tracked as CVE-2015-1778, exists in the opendaylight-karaf-resources component [S1]. The underlying issue is an improper authentication mechanism (CWE-287) where the system fails to validate credentials against a back-end user store, effectively treating every login attempt as successful regardless of the input provided [S2].
Technical Details
Affected versions of org.opendaylight.odlparent:opendaylight-karaf-resources prior to 0.2.3-Helium-SR3 are susceptible to this flaw [S2]. When the Karaf container initializes with these resources, the default authentication filter or JAAS (Java Authentication and Authorization Service) configuration is set in a way that permits all login attempts [S3].
How FixVibe could detect it
FixVibe could detect this vulnerability through several methods:
- Passive Scan: Identifying the OpenDaylight Karaf version through HTTP response headers or unique login page artifacts and comparing it against known vulnerable versions [S2].
- Active Gated Probe: Attempting a login with a randomized, non-existent username and password (e.g.,
fixvibe-test:fixvibe-pass) to see if the application returns a successful session token or redirects to an authenticated dashboard. - Repo Scan: Analyzing Maven
pom.xmlfiles for the presence ofopendaylight-karaf-resourceswith a version string lower than0.2.3-Helium-SR3[S2].
Fix
Users should upgrade to OpenDaylight Helium SR3 (specifically opendaylight-karaf-resources version 0.2.3-Helium-SR3 or later) to ensure proper credential validation is enforced [S2].
