CVE-2019-12130
📋 TL;DR
CVE-2019-12130 is a critical authentication bypass vulnerability in ONAP CLI through Dublin version. Attackers can gain full administrative access to ONAP services without credentials by connecting to specific ports. All ONAP Operations Manager (OOM) deployments are affected.
💻 Affected Systems
- ONAP CLI
- ONAP Operations Manager (OOM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of ONAP infrastructure allowing data exfiltration, service disruption, and lateral movement to connected systems.
Likely Case
Unauthorized access to ONAP services leading to configuration changes, service manipulation, and potential data exposure.
If Mitigated
Limited impact if network segmentation and access controls prevent external access to vulnerable ports.
🎯 Exploit Status
Exploitation requires only network access to vulnerable ports - no authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after Dublin
Vendor Advisory: https://jira.onap.org/browse/OJSI-27
Restart Required: Yes
Instructions:
1. Upgrade ONAP CLI to version after Dublin. 2. Apply ONAP security patches. 3. Restart affected services. 4. Verify authentication is required on all service ports.
🔧 Temporary Workarounds
Network Access Control
linuxBlock external access to vulnerable ports using firewall rules
iptables -A INPUT -p tcp --dport 30234 -j DROP
iptables -A INPUT -p tcp --dport 30290 -j DROP
iptables -A INPUT -p tcp --dport 32010 -j DROP
iptables -A INPUT -p tcp --dport 30270 -j DROP
iptables -A INPUT -p tcp --dport 30224 -j DROP
iptables -A INPUT -p tcp --dport 30281 -j DROP
iptables -A INPUT -p tcp --dport 30254 -j DROP
iptables -A INPUT -p tcp --dport 30285 -j DROP
iptables -A INPUT -p tcp --dport 30271 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ONAP services from untrusted networks
- Deploy intrusion detection systems to monitor for unauthorized access attempts on vulnerable ports
🔍 How to Verify
Check if Vulnerable:
Attempt to connect to any of the vulnerable ports (30234, 30290, etc.) without authentication. If connection succeeds and service responds, system is vulnerable.Check Version:
onap --versionVerify Fix Applied:
Attempt to connect to vulnerable ports without authentication - connection should be rejected or require credentials.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated connections to ONAP service ports
- Access from unexpected IP addresses to administrative ports
Network Indicators:
- Traffic to ports 30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, 30271 without preceding authentication
SIEM Query:
source_port IN (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, 30271) AND auth_result="failure" OR auth_result IS NULL