CVE-2019-12129 in Operations Manager
Summary
by MITRE
In ONAP MSB through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. All ONAP Operations Manager (OOM) setups are affected.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/17/2024
The vulnerability identified as CVE-2019-12129 represents a critical authentication bypass flaw within the Open Network Automation Platform Multi-Service Bus (ONAP MSB) component, specifically affecting the Dublin release and potentially other versions. This weakness exposes multiple service ports including 30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and 30271, which serve as entry points for unauthorized access to the ONAP Operations Manager infrastructure. The flaw fundamentally undermines the security posture of network automation platforms by eliminating the need for valid credentials, thereby allowing any external attacker to gain complete administrative control over the affected services.
This authentication bypass vulnerability stems from inadequate security controls within the ONAP MSB implementation, creating a direct pathway for malicious actors to access sensitive operational interfaces without proper verification. The affected ONAP Operations Manager setups represent a significant risk to telecommunications infrastructure, as these platforms typically manage critical network functions including service orchestration, lifecycle management, and automated deployment processes. The exposed ports likely serve various ONAP components such as the Application Programming Interface (API) gateway, service discovery mechanisms, and configuration management interfaces that are essential for maintaining network service integrity and operational continuity.
The operational impact of this vulnerability extends far beyond simple unauthorized access, as it provides attackers with complete control over the ONAP platform's administrative functions. This level of access enables threat actors to modify service configurations, deploy malicious code, manipulate network policies, and potentially disrupt critical telecommunications services. The vulnerability's widespread nature affects all ONAP Operations Manager deployments, indicating a systemic flaw that could compromise numerous network automation environments across different organizations. Such a flaw directly violates security principles outlined in the OWASP Top Ten and aligns with CWE-287, which addresses improper authentication issues in software systems.
Organizations utilizing affected ONAP versions must implement immediate mitigations including network segmentation to restrict access to the vulnerable ports, deployment of firewall rules to block unauthorized external connections, and implementation of additional authentication layers where possible. The remediation process should involve patching the affected ONAP MSB components with the appropriate security updates provided by the ONAP community, while also conducting comprehensive security assessments to identify any potential compromise. This vulnerability demonstrates the critical importance of proper authentication mechanisms in distributed network automation platforms and highlights the need for continuous security monitoring and vulnerability management processes. The flaw's presence in the Dublin release specifically indicates that organizations should verify their deployment configurations and ensure that all exposed ports are properly secured through network controls or application-level authentication mechanisms as recommended in NIST SP 800-53 security controls.