bergen876/gist:5a21f78e266c12aa2586beb2178443b0

## gistfile1.txt
SDRAN ONOS A1T - Policy Concurrency Issue

Overview
This repository demonstrates a Proof of Concept (PoC) Denial of Service (DoS) attack targeting the ONOS A1 Termination (a1t) module
within the SDRAN-in-a-box deployment. The attack exploits a policy concurrency vulnerability by replaying multiple concurrent
A1 policies, resulting in service termination and impacting the management of A1 policies within the SD-RAN ORAN deployment.

Attack Description
The ONOS A1 Termination component in SD-RAN ORAN is vulnerable to a DoS attack through the continuous replay of concurrent
HTTP-based policies. By exploiting this issue, attackers can disrupt the service, causing it to crash and rendering it unable to
manage A1 policies effectively.


References

POC - https://youtu.be/dRtyfYEY1U0
https://github.com/bergen876/sdran-onos-a1t---policy-concurency-issue
https://github.com/onosproject/sdran-in-a-box/issues/206


CVE Details

 [Suggested description]
> An issue in Open Networking Foundations sdran-in-a-box v.1.4.3 and
> onos-a1t v.0.2.3 allows a remote attacker to cause a denial of service
> via the onos-a1t component of the sdran-in-a-box, specifically the
> DeleteWatcher function.
>
> ------------------------------------------
>
> [Additional Information]
> Issue Summary  "
>
> Issue: Our tests revealed that the ONOS A1 Termination component of SD RAN ORAN deployment was susceptible to a Denial of Service attack through the continuous replay of concurrent HTTP policies. This attack resulted in the termination of the service, impacting the management of A1 policies.
>
> Logs Overview: The strace logs show a panic was triggered during a sequence of epoll_pwait and futex operations, which can hint about thread synchronization issues. Multiple write system calls were noted, corresponding to log outputs of watcher deletions. This aligns with the A1 Termination service logs, which indicate a panic when attempting to close a nil channel in the DeleteWatcher method.
>
> Attack Reproduction : We tested the SDRAN-in-a-Box (RiaB) v1.4.3, specifically the RAN Simulator and Rimedo Traffic Steering xApp edition ( https://docs.sd-ran.org/master/sdran-in-a-box/docs/Installation_RANSim_RIMDEO_TS.html ). However, we believe this attack is applicable to all other editions that utilize the AI Termination module. The attack consists of replaying the JSON-based Traffic Steering Policies (ORAN_TrafficSteeringPreference_2.0.0) by scripting a multithreaded curl command.
>
> Technical Details:
>
> Strace Logs:
>
> Several calls to futex indicate thread synchronization efforts, with one returning -1 EAGAIN (resource temporarily unavailable), suggesting a possible race condition.
> A1 Termination Logs:
>
> The error originated in the DeleteWatcher function (stream/broker.go:129-132) with a panic message: "close of nil channel" at broker.go:130. onos-a1t/pkg/stream/broker.go at master  onosproject/onos-a1t  GitHub
>
> The goroutine in question (goroutine 2793) was active during the panic, attempting to delete a watcher from a map with UUIDs tied to components like EnrichmentInformation and PolicyManagement.
>
> Potential Causes:
>
> The nil channel panic suggests a potential logic flaw where the code attempts to close a watcher channel that is either not properly initialized or
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Null Pointer Dereference
>
> ------------------------------------------
>
> [Vendor of Product]
> Open Networking Foundation
>
> ------------------------------------------
>
> [Affected Product Code Base]
> sdran-in-a-box - v1.4.3
> onos-a1t - v0.2.3
>
> ------------------------------------------
>
> [Affected Component]
> onos-a1t component of the sdran-in-a-box , specifically the DeleteWatcher function
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Attack can be implemented through normal replay for JSON policies to the A1 Termination, A1T API through network
>
> ------------------------------------------
>
> [Reference]
> https://github.com/onosproject/sdran-in-a-box/issues/206
>
> ------------------------------------------
>
> [Discoverer]
> Bergen Davis

Use CVE-2024-48809.
	SDRAN ONOS A1T - Policy Concurrency Issue

	Overview
	This repository demonstrates a Proof of Concept (PoC) Denial of Service (DoS) attack targeting the ONOS A1 Termination (a1t) module
	within the SDRAN-in-a-box deployment. The attack exploits a policy concurrency vulnerability by replaying multiple concurrent
	A1 policies, resulting in service termination and impacting the management of A1 policies within the SD-RAN ORAN deployment.

	Attack Description
	The ONOS A1 Termination component in SD-RAN ORAN is vulnerable to a DoS attack through the continuous replay of concurrent
	HTTP-based policies. By exploiting this issue, attackers can disrupt the service, causing it to crash and rendering it unable to
	manage A1 policies effectively.


	References

	POC - https://youtu.be/dRtyfYEY1U0
	https://github.com/bergen876/sdran-onos-a1t---policy-concurency-issue
	https://github.com/onosproject/sdran-in-a-box/issues/206


	CVE Details

	[Suggested description]
	> An issue in Open Networking Foundations sdran-in-a-box v.1.4.3 and
	> onos-a1t v.0.2.3 allows a remote attacker to cause a denial of service
	> via the onos-a1t component of the sdran-in-a-box, specifically the
	> DeleteWatcher function.
	>
	> ------------------------------------------
	>
	> [Additional Information]
	> Issue Summary "
	>
	> Issue: Our tests revealed that the ONOS A1 Termination component of SD RAN ORAN deployment was susceptible to a Denial of Service attack through the continuous replay of concurrent HTTP policies. This attack resulted in the termination of the service, impacting the management of A1 policies.
	>
	> Logs Overview: The strace logs show a panic was triggered during a sequence of epoll_pwait and futex operations, which can hint about thread synchronization issues. Multiple write system calls were noted, corresponding to log outputs of watcher deletions. This aligns with the A1 Termination service logs, which indicate a panic when attempting to close a nil channel in the DeleteWatcher method.
	>
	> Attack Reproduction : We tested the SDRAN-in-a-Box (RiaB) v1.4.3, specifically the RAN Simulator and Rimedo Traffic Steering xApp edition ( https://docs.sd-ran.org/master/sdran-in-a-box/docs/Installation_RANSim_RIMDEO_TS.html ). However, we believe this attack is applicable to all other editions that utilize the AI Termination module. The attack consists of replaying the JSON-based Traffic Steering Policies (ORAN_TrafficSteeringPreference_2.0.0) by scripting a multithreaded curl command.
	>
	> Technical Details:
	>
	> Strace Logs:
	>
	> Several calls to futex indicate thread synchronization efforts, with one returning -1 EAGAIN (resource temporarily unavailable), suggesting a possible race condition.
	> A1 Termination Logs:
	>
	> The error originated in the DeleteWatcher function (stream/broker.go:129-132) with a panic message: "close of nil channel" at broker.go:130. onos-a1t/pkg/stream/broker.go at master onosproject/onos-a1t GitHub
	>
	> The goroutine in question (goroutine 2793) was active during the panic, attempting to delete a watcher from a map with UUIDs tied to components like EnrichmentInformation and PolicyManagement.
	>
	> Potential Causes:
	>
	> The nil channel panic suggests a potential logic flaw where the code attempts to close a watcher channel that is either not properly initialized or
	>
	> ------------------------------------------
	>
	> [VulnerabilityType Other]
	> Null Pointer Dereference
	>
	> ------------------------------------------
	>
	> [Vendor of Product]
	> Open Networking Foundation
	>
	> ------------------------------------------
	>
	> [Affected Product Code Base]
	> sdran-in-a-box - v1.4.3
	> onos-a1t - v0.2.3
	>
	> ------------------------------------------
	>
	> [Affected Component]
	> onos-a1t component of the sdran-in-a-box , specifically the DeleteWatcher function
	>
	> ------------------------------------------
	>
	> [Attack Type]
	> Remote
	>
	> ------------------------------------------
	>
	> [Impact Denial of Service]
	> true
	>
	> ------------------------------------------
	>
	> [Attack Vectors]
	> Attack can be implemented through normal replay for JSON policies to the A1 Termination, A1T API through network
	>
	> ------------------------------------------
	>
	> [Reference]
	> https://github.com/onosproject/sdran-in-a-box/issues/206
	>
	> ------------------------------------------
	>
	> [Discoverer]
	> Bergen Davis

	Use CVE-2024-48809.