OpenDaylight SFC Insecure Shiro Cookie Configuration Vulnerability Allowing Session Hijacking

A vulnerability exists in the OpenDaylight Service Function Chaining (SFC) module, specifically in the SFC Sodium-SR4 release and earlier, due to insecure Apache Shiro cookie settings. The absence of Secure and HttpOnly flags allows session cookies to be transmitted over unencrypted HTTP and accessed by client-side scripts. This vulnerability can be exploited through a man-in-the-middle (MITM) attack, where an attacker intercepts and sniffs session IDs from the HTTP traffic. Additionally, the vulnerability is compounded by session fixation flaws, as Shiro does not regenerate session IDs after login, enabling attackers to hijack sessions and bypass authentication.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can impersonate a legitimate user by stealing their session ID. This bypasses Shiro's authentication mechanisms and can lead to unauthorized access and actions within the OpenDaylight SFC module, such as manipulating service function chaining resources or disrupting service paths.

Reproduction

To reproduce this vulnerability, start the OpenDaylight controller with the SFC module enabled. Create a test user and an admin account. After logging in as the test user, the absence of Secure and HttpOnly flags in the session cookie configuration can be verified. Once logged in, the session ID can be intercepted using a MITM attack, such as ARP spoofing or through a rogue Wi-Fi connection, and extracted with a sniffing tool like Wireshark. The stolen session ID can then be used to forge requests to the OpenDaylight controller, effectively hijacking the session and performing unauthorized actions.