Comment 1 for bug 1572796

DRAFT
-----

Title: Ironic Node information including credentials exposed to unauthenticated users
Reporter: Devananda van der Veen
Products: OpenStack Ironic
Affects: >=2014.2, >=4.0.0 <=5.1.1

Description:

Devananda van der Veen reported the following vulnerability in Ironic.

Anyone with network access to the ironic-api service can bypass Keystone authentication and retrieve all information about any Node registered with Ironic, if they know (or are able to guess) the MAC address of a network card belonging to that Node. The HTTP response will include the full Node details, including management passwords, even when /etc/ironic/policy.json is configured to hide passwords in API responses.

This can be done by sending a request such as the following:

curl -X POST -H "Content-Type: application/json" -d \
'{ "version": "2", "inventory": { "interfaces": [ { "mac_address": "$ADDRESS" } ] } }' \
http://$HOST:6385/v1/drivers/$DRIVER/vendor_passthru/lookup

This affects all instances of Ironic where the "enabled_drivers" setting includes any of the "agent" family of drivers (eg, agent_ssh, agent_ipmitool, agent_ilo). In such an environment, all Nodes may be exposed, even Nodes that are configured with another driver, including even if no Nodes are configured to use any of the agent_* drivers.

This vulnerability has been verified in all currently supported branches (liberty, mitaka, master) and traced back to code introduced in commit 3e568fbbbcc5748035c1448a0bdb26306470797c during the Juno development cycle. Therefore, it is likely that both juno and kilo braches (and their releases) are also affected.