UPDATE 12/17: A patched version of Helium is now available at: http://nexus.opendaylight.org/content/repositories//staging/org/opendaylight/integration/distribution-karaf/0.2.1-Helium-SR1.1/
A potentially serious security vulnerability in the OpenDaylight network controller has gone unpatched since it was first discovered by security researchers in August, spurring a debate about security procedures within the open source project.
The vulnerability, dubbed “Netdump” by the researcher who discovered it, allows remote attackers to gain access to any file on the OpenDaylight controller system via the network configuration service. The vulnerable files include hashed network credentials, which could be cracked using widely available tools, giving attackers full control over the network.
According to David Jorm, an OpenDaylight community member and product security engineer at Australian firm IIX, Netdump persists in OpenDaylight’s current release, Helium, which launched a month after the vulnerability was discovered.
Researcher Tried in Vain to Report Flaw
Unlike many open source projects, OpenDaylight does not have a security response team or dedicated email address for reporting security flaws. Several proposals have been floated to create such a team, including one expected to come to a vote this week.
But when Gregory Pickett, head of cybersecurity operations at Hellfire Security, first discovered Netdump in early August, he couldn’t find anyone at OpenDaylight to report it to. Finally, he resorted to trying the web form on the project’s contact page.
Pickett tells us that he received no response, other than to be added to the project’s mailing list. Seeing no other options, Pickett published his findings to a security mailing list and reported Netdump to the NIST vulnerability database.
“We take security very seriously in the ODL community,” Colin Dixon, chair of OpenDaylight’s Technical Steering Committee, writes in a statement.
“We’re … working to better establish and advertise our security response process so anyone can report issues and to ensure we quickly respond to such issues in the future.”
Patch Under Review
The issue came to a head this week, when Jorm, the Australian security expert, took OpenDaylight to task on the project’s mailing list.
“The vendors contributing to ODL are well aware that security is a top priority for the project,” Jorm wrote in an email to the list Monday. “However, these efforts have stalled, with the fact [that] a serious vulnerability went totally ignored for 4+ months being clear evidence that something is broken.”
Project members sprang into action following Jorm’s missive, submitting a patch for Netdump later Monday. A vote is expected this week on the creation of a security response team, which sources say would consist of three to five members selected by the Technical Steering Committee.
After months of inattention, security could quickly become a hot-button issue for vendors with the formation of the response team.
“Security response is quite a strategic issue for vendors,” Jorm tells us. “If one vendor has control of the security response process, that gives them a competitive edge with their deployment, since the other vendors have to wait for the public advisory.”
“If this vote proceeds, I would anticipate every vendor involved will want a person on the list.”