Skip to content

Instantly share code, notes, and snippets.

@bergen876
Created November 1, 2024 15:43
Show Gist options
  • Save bergen876/5a21f78e266c12aa2586beb2178443b0 to your computer and use it in GitHub Desktop.
Save bergen876/5a21f78e266c12aa2586beb2178443b0 to your computer and use it in GitHub Desktop.
CVE-2024-48809 Full Disclousre - ONOS A1 Termnation Policy Concurrency Issue -
SDRAN ONOS A1T - Policy Concurrency Issue
Overview
This repository demonstrates a Proof of Concept (PoC) Denial of Service (DoS) attack targeting the ONOS A1 Termination (a1t) module
within the SDRAN-in-a-box deployment. The attack exploits a policy concurrency vulnerability by replaying multiple concurrent
A1 policies, resulting in service termination and impacting the management of A1 policies within the SD-RAN ORAN deployment.
Attack Description
The ONOS A1 Termination component in SD-RAN ORAN is vulnerable to a DoS attack through the continuous replay of concurrent
HTTP-based policies. By exploiting this issue, attackers can disrupt the service, causing it to crash and rendering it unable to
manage A1 policies effectively.
References
POC - https://youtu.be/dRtyfYEY1U0
https://github.com/bergen876/sdran-onos-a1t---policy-concurency-issue
https://github.com/onosproject/sdran-in-a-box/issues/206
CVE Details
[Suggested description]
> An issue in Open Networking Foundations sdran-in-a-box v.1.4.3 and
> onos-a1t v.0.2.3 allows a remote attacker to cause a denial of service
> via the onos-a1t component of the sdran-in-a-box, specifically the
> DeleteWatcher function.
>
> ------------------------------------------
>
> [Additional Information]
> Issue Summary "
>
> Issue: Our tests revealed that the ONOS A1 Termination component of SD RAN ORAN deployment was susceptible to a Denial of Service attack through the continuous replay of concurrent HTTP policies. This attack resulted in the termination of the service, impacting the management of A1 policies.
>
> Logs Overview: The strace logs show a panic was triggered during a sequence of epoll_pwait and futex operations, which can hint about thread synchronization issues. Multiple write system calls were noted, corresponding to log outputs of watcher deletions. This aligns with the A1 Termination service logs, which indicate a panic when attempting to close a nil channel in the DeleteWatcher method.
>
> Attack Reproduction : We tested the SDRAN-in-a-Box (RiaB) v1.4.3, specifically the RAN Simulator and Rimedo Traffic Steering xApp edition ( https://docs.sd-ran.org/master/sdran-in-a-box/docs/Installation_RANSim_RIMDEO_TS.html ). However, we believe this attack is applicable to all other editions that utilize the AI Termination module. The attack consists of replaying the JSON-based Traffic Steering Policies (ORAN_TrafficSteeringPreference_2.0.0) by scripting a multithreaded curl command.
>
> Technical Details:
>
> Strace Logs:
>
> Several calls to futex indicate thread synchronization efforts, with one returning -1 EAGAIN (resource temporarily unavailable), suggesting a possible race condition.
> A1 Termination Logs:
>
> The error originated in the DeleteWatcher function (stream/broker.go:129-132) with a panic message: "close of nil channel" at broker.go:130. onos-a1t/pkg/stream/broker.go at master onosproject/onos-a1t GitHub
>
> The goroutine in question (goroutine 2793) was active during the panic, attempting to delete a watcher from a map with UUIDs tied to components like EnrichmentInformation and PolicyManagement.
>
> Potential Causes:
>
> The nil channel panic suggests a potential logic flaw where the code attempts to close a watcher channel that is either not properly initialized or
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Null Pointer Dereference
>
> ------------------------------------------
>
> [Vendor of Product]
> Open Networking Foundation
>
> ------------------------------------------
>
> [Affected Product Code Base]
> sdran-in-a-box - v1.4.3
> onos-a1t - v0.2.3
>
> ------------------------------------------
>
> [Affected Component]
> onos-a1t component of the sdran-in-a-box , specifically the DeleteWatcher function
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Attack can be implemented through normal replay for JSON policies to the A1 Termination, A1T API through network
>
> ------------------------------------------
>
> [Reference]
> https://github.com/onosproject/sdran-in-a-box/issues/206
>
> ------------------------------------------
>
> [Discoverer]
> Bergen Davis
Use CVE-2024-48809.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment