CVE-2019-12120
📋 TL;DR
CVE-2019-12120 allows unauthenticated attackers with pod-to-pod network access to execute arbitrary code on ONAP VNFSDK pods via port 8000. All ONAP Operations Manager (OOM) deployments are affected. This is a critical remote code execution vulnerability.
💻 Affected Systems
- ONAP VNFSDK
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the ONAP environment, allowing attackers to execute arbitrary commands, steal sensitive data, pivot to other systems, and disrupt operations.
Likely Case
Attackers with internal network access can gain shell access to VNFSDK pods, potentially compromising the entire ONAP deployment and its managed services.
If Mitigated
With proper network segmentation and pod security policies, impact is limited to the specific VNFSDK pod, though lateral movement remains possible.
🎯 Exploit Status
Exploitation is straightforward once an attacker gains pod-to-pod network access. No authentication required to access the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after Dublin release
Vendor Advisory: https://jira.onap.org/browse/OJSI-10
Restart Required: Yes
Instructions:
1. Upgrade ONAP to a version after Dublin release. 2. Update VNFSDK component to patched version. 3. Restart affected pods/services. 4. Verify the fix by checking that port 8000 no longer accepts unauthenticated commands.
🔧 Temporary Workarounds
Network segmentation
linuxRestrict pod-to-pod communication using Kubernetes Network Policies
kubectl apply -f network-policy.yaml (with appropriate deny rules for VNFSDK pods)
Firewall blocking
linuxBlock access to port 8000 on VNFSDK pods from unauthorized sources
iptables -A INPUT -p tcp --dport 8000 -j DROP (on host or via network policy)
🧯 If You Can't Patch
- Implement strict network segmentation to isolate VNFSDK pods from other pods
- Deploy intrusion detection systems to monitor for exploitation attempts on port 8000
🔍 How to Verify
Check if Vulnerable:
Check if VNFSDK pod is listening on port 8000 and test if unauthenticated commands can be executed: 'nc -zv <pod_ip> 8000' and attempt to send payloadsCheck Version:
Check ONAP version: 'kubectl get pods -l app=vnfsdk -o jsonpath="{.items[0].metadata.labels.version}"'Verify Fix Applied:
Verify port 8000 is no longer accessible or requires authentication. Test that previously exploitable endpoints are secured.📡 Detection & Monitoring
Log Indicators:
- Unusual connections to port 8000 on VNFSDK pods
- Suspicious command execution in VNFSDK container logs
- Unexpected process creation in VNFSDK pods
Network Indicators:
- Traffic to port 8000 from unexpected sources
- Large or unusual payloads sent to VNFSDK pods
SIEM Query:
source_port=8000 AND (protocol=tcp) AND (destination_ip IN vnfsdk_pod_ips)