CVE-2019-13624
📋 TL;DR
CVE-2019-13624 is a command injection vulnerability in ONOS (Open Network Operating System) that allows attackers to execute arbitrary shell commands by injecting backquote characters into YANG web resource strings. This affects all systems running vulnerable versions of ONOS with the YANG web interface exposed. The vulnerability enables remote code execution with the privileges of the ONOS process.
💻 Affected Systems
- ONOS (Open Network Operating System)
📦 What is this software?
Onos by Onosproject
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attacker to execute arbitrary commands as the ONOS process user, potentially leading to network control plane takeover, data exfiltration, or deployment of persistent backdoors.
Likely Case
Remote code execution leading to service disruption, configuration manipulation, or lateral movement within the network infrastructure.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized access to the YANG web interface.
🎯 Exploit Status
The vulnerability is straightforward to exploit by crafting HTTP requests with backquote characters in YANG resource strings. Public references show the exact vulnerable code pattern.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in ONOS commit 20767 and later versions
Vendor Advisory: https://gerrit.onosproject.org/#/c/20767/
Restart Required: Yes
Instructions:
1. Update ONOS to a version containing commit 20767 or later. 2. Apply the patch that properly escapes shell command arguments in YangWebResource.java. 3. Restart the ONOS service to apply changes.
🔧 Temporary Workarounds
Disable YANG Web Interface
linuxTemporarily disable the vulnerable YANG web resource handler if not required for operations
Modify ONOS configuration to disable yang.web component or restrict access via firewall rules
Network Access Control
linuxRestrict network access to ONOS management interfaces using firewall rules
iptables -A INPUT -p tcp --dport <onos-web-port> -s <trusted-networks> -j ACCEPT
iptables -A INPUT -p tcp --dport <onos-web-port> -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ONOS controllers from untrusted networks
- Deploy web application firewall (WAF) rules to block requests containing backquote characters in YANG resource paths
🔍 How to Verify
Check if Vulnerable:
Check if ONOS version is 1.15.0 and examine YangWebResource.java for improper handling of backquote characters in shell command executionCheck Version:
onos-version or check /opt/onos/VERSION fileVerify Fix Applied:
Verify that commit 20767 is applied in the ONOS installation and test that backquote characters in YANG resource strings no longer execute shell commands📡 Detection & Monitoring
Log Indicators:
- Unusual shell command execution from ONOS process
- HTTP requests to YANG endpoints containing backquote characters
- Unexpected process spawns from ONOS service
Network Indicators:
- HTTP POST/GET requests to /yang/web endpoints with special characters
- Unusual outbound connections from ONOS controller
SIEM Query:
source="onos" AND (http_uri="*yang/web*" AND http_uri="*`*" OR process="*sh*" AND parent_process="onos*")