Mirantis OpenStack

Ironic Node information including credentials exposed to unauthenticated users

Bug #1593209 reported by Pavlo Shchelokovskyy
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Invalid
High
Pavlo Shchelokovskyy
Mirantis OpenStack 9.2
8.0.x
Invalid
High
MOS Maintenance
Mirantis OpenStack 8.0-updates
9.x
Invalid
High
Pavlo Shchelokovskyy
Mirantis OpenStack 9.2

Bug Description

per CVE: 2016-4985

==================
A client with network access to the ironic-api service can bypass Keystone
authentication and retrieve all information about any Node registered with
Ironic, if they know (or are able to guess) the MAC address of a network card
belonging to that Node, by sending a crafted POST request to the
/v1/drivers/$DRIVER_NAME/vendor_passthru resource.

The response will include the full Node details, including management passwords,
even when /etc/ironic/policy.json is configured to hide passwords in API responses.

This vulnerability has been verified in all currently supported branches
(liberty, mitaka, master) and traced back to code introduced in commit
3e568fbbbcc5748035c1448a0bdb26306470797c during the Juno development cycle.
Therefore, it is likely that both juno and kilo braches (and their releases) are
also affected.

Proposed public disclosure date/time: Tuesday June 21 2016, 1500 UTC
==================

This vulnerability does apply to Ironic-Python-Agent based drivers, which are shipped with, but not enabled by default in MOS.

Currently the MOS Ironic team investigates if this vulnerability applies to the Ironic drivers enabled by default in MOS (fuel-ipmitool, fuel-libvirt). Preliminary conclusion is that it does not, however a more rigorous check is ongoing.

If this vulnerability does indeed apply to the enabled by default drivers, I'd need to decide if it is possible/feasible to incorporate the fix in MOS9 GA that late in the release cycle. If not, than it is safe to postpone fix release to the next MOS version/maintenance update.

CVE References

Pavlo Shchelokovskyy (pshchelo)
Changed in mos:
importance: Undecided → High
Revision history for this message
Pavlo Shchelokovskyy (pshchelo) wrote :

After further analysis and testing, we conclude that this vulnerability does not affect the Ironic drivers that are enabled by default in MOS (fuel-agent based drivers do not have the vendor_passthru/lookup endpoint a bug in which is the root of this vulnerability).

Executing a request crafted as described in this CVE against Ironic node with fuel_ipmitool driver results in the following error response:

400, {"error_message": "{\"debuginfo\":null,\"faultcode\":\"Client\",\"faultstring\":\"No handler for method lookup\"}"}

instead of returning full unmasked node info.

However, we do ship the vulnerable Ironic-Python-Agent-based drivers in MOS (to they are integral part of the upstream code), and operators are free to reconfigure Ironic and enable those drivers/assign them to nodes.

Given all the above, I am marking this bug as of High priority, and recommend to release the fix in the next possible MU for MOS8/9.

As the vulnerability is scheduled to go public before MOS9 GA date, I also recommend that it is appropriately described in MOS9 release info, suggesting operators to avoid using IPA-based Ironic drivers in MOS9 until next MU. A technical bulletin for users of Ironic in MOS8 should also be created with the same warning.

Revision history for this message
Pavlo Shchelokovskyy (pshchelo) wrote :

Patches to MOS downstream Ironic code:

MOS9
https://review.fuel-infra.org/#/c/22146/

MOS8
https://review.fuel-infra.org/#/c/22147/

On the other hand, given the disclosure date, we might get those patches in from upstream sync as well.

Revision history for this message
Dina Belova (dbelova) wrote :

Adding release-notes tag due to Pavlo's comment:

>>> As the vulnerability is scheduled to go public before MOS9 GA date, I also recommend that it is appropriately described in MOS9 release info, suggesting operators to avoid using IPA-based Ironic drivers in MOS9 until next MU. A technical bulletin for users of Ironic in MOS8 should also be created with the same warning.

tags: added: release-notes
Revision history for this message
Adam Heczko (aheczko-mirantis) wrote :

Pavlo, CVE-2016-4985 is AFAIK related to Horizon. So this issue most likely will have another CVE number assigned.

tags: added: feature-security
Revision history for this message
Vitaly Sedelnik (vsedelnik) wrote :

Invalid for 8.0-updates as the fix was consumed from stable/liberty

Revision history for this message
Pavlo Shchelokovskyy (pshchelo) wrote :

Adam, not sure what's with Horizon, but this vulnerability always is identified as CVE-2016-4985 throughout Launchpad and MLs

Upstream bug ref https://bugs.launchpad.net/ironic/+bug/1572796
CVE announcement http://www.openwall.com/lists/oss-security/2016/06/21/6

Revision history for this message
Pavlo Shchelokovskyy (pshchelo) wrote :

Btw, should we make this bug public already? CVE was discolsed a week ago

Revision history for this message
Vitaly Sedelnik (vsedelnik) wrote :

Invalid for 9.2 - the fix was consumed via upstream sync.

information type: Private Security → Public Security
Revision history for this message
Maria Zlatkova (mzlatkova) wrote :

Removing the release-notes tag (see the comment above).

tags: removed: release-notes
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.