CVE-2019-12128
📋 TL;DR
This vulnerability allows unauthenticated attackers to gain full administrative access to ONAP services by connecting to specific ports. All ONAP Operations Manager (OOM) deployments are affected, exposing critical orchestration and management functions to complete compromise.
💻 Affected Systems
- ONAP Service Orchestrator (SO)
- ONAP Operations Manager (OOM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of ONAP infrastructure allowing attackers to manipulate network services, steal sensitive data, deploy malicious components, and disrupt telecommunications operations.
Likely Case
Unauthorized access leading to data exfiltration, service manipulation, and lateral movement within the ONAP environment.
If Mitigated
Limited impact if services are behind proper network segmentation and access controls, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires only network access to vulnerable ports - no authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after Dublin release
Vendor Advisory: https://jira.onap.org/browse/OJSI-27
Restart Required: Yes
Instructions:
1. Upgrade ONAP to version after Dublin release. 2. Apply security patches from ONAP security advisories. 3. Restart affected services after patching.
🔧 Temporary Workarounds
Network Access Control
linuxBlock external access to vulnerable ports using firewall rules
iptables -A INPUT -p tcp --dport 30234 -j DROP
iptables -A INPUT -p tcp --dport 30290 -j DROP
iptables -A INPUT -p tcp --dport 32010 -j DROP
iptables -A INPUT -p tcp --dport 30270 -j DROP
iptables -A INPUT -p tcp --dport 30224 -j DROP
iptables -A INPUT -p tcp --dport 30281 -j DROP
iptables -A INPUT -p tcp --dport 30254 -j DROP
iptables -A INPUT -p tcp --dport 30285 -j DROP
iptables -A INPUT -p tcp --dport 30271 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ONAP services from untrusted networks
- Deploy network-based intrusion detection systems to monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Test if you can connect to any of the vulnerable ports (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, 30271) without authentication using telnet or ncCheck Version:
Check ONAP version through ONAP dashboard or deployment configuration filesVerify Fix Applied:
Verify that authentication is required when connecting to previously vulnerable ports📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access to service ports
- Unexpected administrative actions from unknown IPs
- Failed authentication attempts followed by successful access
Network Indicators:
- Connections to vulnerable ports from unexpected sources
- Unusual traffic patterns to ONAP service ports
SIEM Query:
source_port IN (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, 30271) AND auth_result="success"