CVE-2019-12128 in Operations Manager
Summary
by MITRE
In ONAP SO through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. All ONAP Operations Manager (OOM) setups are affected.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/17/2024
The vulnerability identified as CVE-2019-12128 represents a critical authentication bypass flaw within the ONAP Service Orchestrator (SO) component of the Open Network Automation Platform ecosystem. This issue affects the Dublin release and earlier versions of the platform, exposing multiple service ports that lack proper authentication mechanisms. The affected ports include 30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and 30271, all of which provide unrestricted access to core ONAP services. The vulnerability stems from insufficient access control implementation within the Operations Manager (OOM) framework, allowing any remote attacker to exploit these open ports and gain complete administrative privileges over the targeted services.
This authentication bypass vulnerability directly maps to CWE-287 which addresses improper authentication issues in software systems. The flaw represents a fundamental failure in the principle of least privilege and violates security best practices for network service configuration. Attackers can leverage this vulnerability to execute arbitrary commands, modify system configurations, access sensitive data, and potentially compromise the entire ONAP deployment. The impact is particularly severe given that ONAP serves as a comprehensive network automation platform for telecommunications operators, making the exposed services critical infrastructure components that control network functions and service orchestration.
The operational implications of this vulnerability extend beyond simple unauthorized access, as it enables attackers to perform advanced persistent threat activities within the network automation environment. Once compromised, the affected ONAP services could be used to manipulate network policies, disrupt service delivery, or serve as a foothold for further attacks within the operator's network infrastructure. The vulnerability affects all ONAP Operations Manager setups, indicating a widespread exposure across deployments that utilize the Dublin release or earlier versions of the platform. This creates a significant risk for telecommunications providers who rely on ONAP for managing their network services and automation workflows.
Organizations affected by this vulnerability should implement immediate mitigations including network segmentation to restrict access to the exposed ports, deployment of firewall rules to block unauthorized access, and immediate upgrade to patched versions of the ONAP platform. The remediation process should involve comprehensive network audits to identify all instances of the vulnerable software and ensure proper authentication mechanisms are enforced. Additionally, security monitoring should be enhanced to detect potential exploitation attempts through these specific port ranges. According to ATT&CK framework, this vulnerability would be categorized under T1078 for valid accounts and T1046 for network service scanning, with potential lateral movement opportunities through compromised ONAP services. The vulnerability highlights the critical importance of proper service hardening and authentication implementation in enterprise automation platforms, particularly those handling sensitive network infrastructure controls.