OpenDaylight Service Function Chaining Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the OpenDaylight Service Function Chaining (SFC) module, specifically in versions through Sodium-SR4. The issue arises from the Shiro-based Role-Based Access Control (RBAC) mechanism, which applies coarse-grained URL mappings that fail to consider the specific HTTP methods involved. This oversight allows low-privileged users to perform administrative actions by sending crafted requests to endpoints that are improperly exposed to their roles. Additionally, the lack of context-aware authorization checks enables unauthorized access across different tenant domains, further exacerbating the issue.

Impact

Exploitation of this vulnerability allows low-privileged users to execute privileged operations, such as modifying or deleting critical SFC components. This could lead to unauthorized access to sensitive data, disruption of network services, and manipulation of system configurations that should be restricted to administrators.

Reproduction

To reproduce this vulnerability, first start the OpenDaylight controller and log in with an admin account to verify the SFC resource status. Next, log in with a low-privileged user account (such as user3 or user4) and send a DELETE request to the SFC service functions endpoint. After clearing the session cookies, check the SFC resource status again using the admin account to confirm that the resource has been deleted, demonstrating the unauthorized privilege escalation.