FixVibe
Research notecritical

OpenDaylight Karaf Resources Authentication Bypass (CVE-2015-1778)

A critical authentication bypass vulnerability was identified in OpenDaylight Karaf resources. Due to an improper authentication implementation, the system would accept any username and password combination, granting unauthorized access to the controller's management interfaces.

CVE-2015-1778GHSA-QM24-4869-99PJCWE-287

Impact

An attacker can gain full administrative access to the OpenDaylight controller by providing any arbitrary username and password [S2]. This bypasses all intended access controls, allowing for complete compromise of the SDN (Software Defined Networking) infrastructure managed by the controller [S3].

Root Cause

The vulnerability, tracked as CVE-2015-1778, exists in the opendaylight-karaf-resources component [S1]. The underlying issue is an improper authentication mechanism (CWE-287) where the system fails to validate credentials against a back-end user store, effectively treating every login attempt as successful regardless of the input provided [S2].

Technical Details

Affected versions of org.opendaylight.odlparent:opendaylight-karaf-resources prior to 0.2.3-Helium-SR3 are susceptible to this flaw [S2]. When the Karaf container initializes with these resources, the default authentication filter or JAAS (Java Authentication and Authorization Service) configuration is set in a way that permits all login attempts [S3].

How FixVibe could detect it

FixVibe could detect this vulnerability through several methods:

  • Passive Scan: Identifying the OpenDaylight Karaf version through HTTP response headers or unique login page artifacts and comparing it against known vulnerable versions [S2].
  • Active Gated Probe: Attempting a login with a randomized, non-existent username and password (e.g., fixvibe-test:fixvibe-pass) to see if the application returns a successful session token or redirects to an authenticated dashboard.
  • Repo Scan: Analyzing Maven pom.xml files for the presence of opendaylight-karaf-resources with a version string lower than 0.2.3-Helium-SR3 [S2].

Fix

Users should upgrade to OpenDaylight Helium SR3 (specifically opendaylight-karaf-resources version 0.2.3-Helium-SR3 or later) to ensure proper credential validation is enforced [S2].

OpenDaylight Karaf Resources Authentication Bypass (CVE-2015-1778) β€” FixVibe research Β· FixVibe