Created
November 1, 2024 15:43
-
-
Save bergen876/5a21f78e266c12aa2586beb2178443b0 to your computer and use it in GitHub Desktop.
CVE-2024-48809 Full Disclousre - ONOS A1 Termnation Policy Concurrency Issue -
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SDRAN ONOS A1T - Policy Concurrency Issue | |
Overview | |
This repository demonstrates a Proof of Concept (PoC) Denial of Service (DoS) attack targeting the ONOS A1 Termination (a1t) module | |
within the SDRAN-in-a-box deployment. The attack exploits a policy concurrency vulnerability by replaying multiple concurrent | |
A1 policies, resulting in service termination and impacting the management of A1 policies within the SD-RAN ORAN deployment. | |
Attack Description | |
The ONOS A1 Termination component in SD-RAN ORAN is vulnerable to a DoS attack through the continuous replay of concurrent | |
HTTP-based policies. By exploiting this issue, attackers can disrupt the service, causing it to crash and rendering it unable to | |
manage A1 policies effectively. | |
References | |
POC - https://youtu.be/dRtyfYEY1U0 | |
https://github.com/bergen876/sdran-onos-a1t---policy-concurency-issue | |
https://github.com/onosproject/sdran-in-a-box/issues/206 | |
CVE Details | |
[Suggested description] | |
> An issue in Open Networking Foundations sdran-in-a-box v.1.4.3 and | |
> onos-a1t v.0.2.3 allows a remote attacker to cause a denial of service | |
> via the onos-a1t component of the sdran-in-a-box, specifically the | |
> DeleteWatcher function. | |
> | |
> ------------------------------------------ | |
> | |
> [Additional Information] | |
> Issue Summary " | |
> | |
> Issue: Our tests revealed that the ONOS A1 Termination component of SD RAN ORAN deployment was susceptible to a Denial of Service attack through the continuous replay of concurrent HTTP policies. This attack resulted in the termination of the service, impacting the management of A1 policies. | |
> | |
> Logs Overview: The strace logs show a panic was triggered during a sequence of epoll_pwait and futex operations, which can hint about thread synchronization issues. Multiple write system calls were noted, corresponding to log outputs of watcher deletions. This aligns with the A1 Termination service logs, which indicate a panic when attempting to close a nil channel in the DeleteWatcher method. | |
> | |
> Attack Reproduction : We tested the SDRAN-in-a-Box (RiaB) v1.4.3, specifically the RAN Simulator and Rimedo Traffic Steering xApp edition ( https://docs.sd-ran.org/master/sdran-in-a-box/docs/Installation_RANSim_RIMDEO_TS.html ). However, we believe this attack is applicable to all other editions that utilize the AI Termination module. The attack consists of replaying the JSON-based Traffic Steering Policies (ORAN_TrafficSteeringPreference_2.0.0) by scripting a multithreaded curl command. | |
> | |
> Technical Details: | |
> | |
> Strace Logs: | |
> | |
> Several calls to futex indicate thread synchronization efforts, with one returning -1 EAGAIN (resource temporarily unavailable), suggesting a possible race condition. | |
> A1 Termination Logs: | |
> | |
> The error originated in the DeleteWatcher function (stream/broker.go:129-132) with a panic message: "close of nil channel" at broker.go:130. onos-a1t/pkg/stream/broker.go at master onosproject/onos-a1t GitHub | |
> | |
> The goroutine in question (goroutine 2793) was active during the panic, attempting to delete a watcher from a map with UUIDs tied to components like EnrichmentInformation and PolicyManagement. | |
> | |
> Potential Causes: | |
> | |
> The nil channel panic suggests a potential logic flaw where the code attempts to close a watcher channel that is either not properly initialized or | |
> | |
> ------------------------------------------ | |
> | |
> [VulnerabilityType Other] | |
> Null Pointer Dereference | |
> | |
> ------------------------------------------ | |
> | |
> [Vendor of Product] | |
> Open Networking Foundation | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Product Code Base] | |
> sdran-in-a-box - v1.4.3 | |
> onos-a1t - v0.2.3 | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Component] | |
> onos-a1t component of the sdran-in-a-box , specifically the DeleteWatcher function | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Type] | |
> Remote | |
> | |
> ------------------------------------------ | |
> | |
> [Impact Denial of Service] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Vectors] | |
> Attack can be implemented through normal replay for JSON policies to the A1 Termination, A1T API through network | |
> | |
> ------------------------------------------ | |
> | |
> [Reference] | |
> https://github.com/onosproject/sdran-in-a-box/issues/206 | |
> | |
> ------------------------------------------ | |
> | |
> [Discoverer] | |
> Bergen Davis | |
Use CVE-2024-48809. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment