Login Sign Up

CVE-2024-46943

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows a rogue OpenDaylight controller to join a cluster and impersonate an offline peer, even without complete cluster configuration. It affects OpenDaylight AAA implementations up to version 0.19.3, potentially enabling unauthorized cluster access and privilege escalation.

💻 Affected Systems

Products:
  • OpenDaylight Authentication, Authorization and Accounting (AAA)
Versions: through 0.19.3
Operating Systems: All platforms running OpenDaylight
Default Config Vulnerable: ⚠️ Yes
Notes: Affects clustered OpenDaylight deployments using AAA authentication. Standalone installations may be less vulnerable.

📦 What is this software?

Authentication\, Authorization And Accounting by Opendaylight

View all CVEs affecting Authentication\, Authorization And Accounting →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete cluster takeover where rogue controller gains administrative privileges, manipulates network flows, and compromises all managed network devices.

🟠

Likely Case

Unauthorized access to cluster operations, data exfiltration, and disruption of network management functions.

🟢

If Mitigated

Limited impact with proper network segmentation and authentication controls preventing rogue controller access.

🌐 Internet-Facing: MEDIUM - Requires controller cluster exposure to untrusted networks, but exploitation could lead to significant network compromise.
🏢 Internal Only: HIGH - Internal attackers or compromised systems can exploit this to gain cluster privileges and disrupt network operations.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires network access to the controller cluster and knowledge of cluster configuration. The vulnerability is documented in academic research.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 0.19.3

Vendor Advisory: https://docs.opendaylight.org/en/latest/release-notes/projects/aaa.html

Restart Required: Yes

Instructions:

1. Upgrade OpenDaylight AAA to version after 0.19.3. 2. Restart all controller instances. 3. Verify cluster integrity and authentication mechanisms.

🔧 Temporary Workarounds

Network Segmentation

linux

Isolate controller cluster network from untrusted systems

# Configure firewall rules to restrict controller cluster access
# Example: iptables -A INPUT -s trusted_network -p tcp --dport 2550 -j ACCEPT
# iptables -A INPUT -p tcp --dport 2550 -j DROP

Enhanced Authentication

all

Implement additional authentication layers for cluster joining

# Configure mutual TLS authentication for cluster communication
# Review and strengthen AAA configuration files

🧯 If You Can't Patch

  • Implement strict network access controls to limit which systems can join the controller cluster
  • Monitor cluster membership changes and audit authentication logs for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check OpenDaylight AAA version: grep 'aaa' /path/to/opendaylight/version/file or check running configuration

Check Version:

opendaylight-aaa --version or check project documentation

Verify Fix Applied:

Verify version is above 0.19.3 and test cluster join attempts from unauthorized systems are rejected

📡 Detection & Monitoring

Log Indicators:

  • Unexpected cluster join events
  • Authentication failures from unknown IPs
  • Peer impersonation attempts in AAA logs

Network Indicators:

  • Unauthorized TCP connections to controller cluster ports (typically 2550)
  • Suspicious cluster synchronization traffic

SIEM Query:

source="opendaylight" AND (event="cluster_join" OR event="authentication_failure") AND src_ip NOT IN allowed_ips

📊 Metadata

CVE ID: CVE-2024-46943
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-520
Published: September 15, 2024
Last Updated: March 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON