In this post I will go through CVE-2023-24279: the description, replication of the
vulnerability and POC.
ONOS (Open Network
Operating
System), a product of Open Networking Foundation, is "the leading open source SDN
controller for building next-generation
SDN/NFV
solutions. ONOS was designed to meet the needs of operators wishing to build
carrier-grade solutions that leverage the economics of white box merchant silicon
hardware while offering the flexibility to create and deploy new dynamic network
services with simplified programmatic interfaces. ONOS supports both configuration and
real-time control of the network, eliminating the need to run routing and switching
control protocols inside the network fabric. By moving intelligence into the ONOS cloud
controller, innovation is enabled and end-users can easily create new network
applications without the need to alter the dataplane systems."
Among ONOS users we can see Comcast, Deutsche Telekom, AT&T and other big companies.
The ONOS platform includes:
A platform and a set of applications that act as an extensible, modular,
distributed SDN controller.
Simplified management, configuration and deployment of new software, hardware &
services.
A scale-out architecture to provide the resiliency and scalability required to meet
the
rigors of production carrier environments.
Description of the vulnerability
Since version v1.9.0 (https://github.com/opennetworkinglab/onos/releases/tag/1.9.0)
until
2.7.0 (https://github.com/opennetworkinglab/onos/releases/tag/2.7.0)
included, ONOS uses Swagger as dependency. In particular ("Swagger UI
allows anyone — be it your development team or your end consumers — to visualize and
interact with the API's resources without having any of the implementation logic in
place. It's automatically generated from your OpenAPI (formerly known as Swagger)
Specification, with the visual documentation making it easy for back end implementation
and client side consumption."), a vulnerable Swagger UI version (v2.2.10). We can
use an
external file to specify how the API are built using the `url` parameter, but since the url
(info > contact > url) is not properly sanitized, this will result in a cross site scripting
injection.