Ironic Node information including credentials exposed to unauthenticated users
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Invalid
|
High
|
Pavlo Shchelokovskyy | ||
8.0.x |
Invalid
|
High
|
MOS Maintenance | ||
9.x |
Invalid
|
High
|
Pavlo Shchelokovskyy |
Bug Description
per CVE: 2016-4985
==================
A client with network access to the ironic-api service can bypass Keystone
authentication and retrieve all information about any Node registered with
Ironic, if they know (or are able to guess) the MAC address of a network card
belonging to that Node, by sending a crafted POST request to the
/v1/drivers/
The response will include the full Node details, including management passwords,
even when /etc/ironic/
This vulnerability has been verified in all currently supported branches
(liberty, mitaka, master) and traced back to code introduced in commit
3e568fbbbcc5748
Therefore, it is likely that both juno and kilo braches (and their releases) are
also affected.
Proposed public disclosure date/time: Tuesday June 21 2016, 1500 UTC
==================
This vulnerability does apply to Ironic-Python-Agent based drivers, which are shipped with, but not enabled by default in MOS.
Currently the MOS Ironic team investigates if this vulnerability applies to the Ironic drivers enabled by default in MOS (fuel-ipmitool, fuel-libvirt). Preliminary conclusion is that it does not, however a more rigorous check is ongoing.
If this vulnerability does indeed apply to the enabled by default drivers, I'd need to decide if it is possible/feasible to incorporate the fix in MOS9 GA that late in the release cycle. If not, than it is safe to postpone fix release to the next MOS version/maintenance update.
CVE References
Changed in mos: | |
importance: | Undecided → High |
After further analysis and testing, we conclude that this vulnerability does not affect the Ironic drivers that are enabled by default in MOS (fuel-agent based drivers do not have the vendor_ passthru/ lookup endpoint a bug in which is the root of this vulnerability).
Executing a request crafted as described in this CVE against Ironic node with fuel_ipmitool driver results in the following error response:
400, {"error_message": "{\"debuginfo\ ":null, \"faultcode\ ":\"Client\ ",\"faultstring \":\"No handler for method lookup\"}"}
instead of returning full unmasked node info.
However, we do ship the vulnerable Ironic- Python- Agent-based drivers in MOS (to they are integral part of the upstream code), and operators are free to reconfigure Ironic and enable those drivers/assign them to nodes.
Given all the above, I am marking this bug as of High priority, and recommend to release the fix in the next possible MU for MOS8/9.
As the vulnerability is scheduled to go public before MOS9 GA date, I also recommend that it is appropriately described in MOS9 release info, suggesting operators to avoid using IPA-based Ironic drivers in MOS9 until next MU. A technical bulletin for users of Ironic in MOS8 should also be created with the same warning.