CVE-2023-40585 - Authentication Bypass Vulnerability in OpenStack Ironic's ironic-image prior to capm3-v1.4.3

A security vulnerability, CVE-2023-40585, has been discovered affecting the OpenStack Ironic's ironic-image container in the Metal³ project. This vulnerability affects versions prior to capm3-v1.4.3 and could lead to unauthorized access to the Ironic API in certain configurations.

OpenStack Ironic is a project offering Bare Metal-as-a-Service (BMaaS) that is commonly used in conjunction with other OpenStack components. The classification of this vulnerability as an authentication bypass implies that an attacker could potentially gain access to the Ironic API without proper credentials. In this article, we'll provide an overview of the vulnerability, steps to mitigate it, and how you can ensure your deployment is secure.

Vulnerability Details

The ironic-image is a container image used to run OpenStack Ironic as part of Metal³. If Ironic is deployed without TLS (Transport Layer Security) and it does not have its API and Conductor split into separate services, access to the API is left unprotected by any authentication mechanism. This exposes the API to unauthorized access when the node is not protected by a firewall.

By default, Metal³ secures Ironic API with TLS and basic authentication. However, this vulnerability requires an operator to intentionally configure the API without TLS for it to be exposed. Prior to capm3-v1.4.3, TLS and authentication were coupled, which is not recommended.

A patch is available in versions capm3-v1.4.3 and newer. You can find more information on the original references and the exploit details at the OpenStack security advisory page.

There are a couple of suggested workarounds available to address this vulnerability

1. Configure TLS for Ironic API: Instead of deploying without TLS, secure your Ironic API using TLS. You can do this by set the IRONIC_TLS_SETUP=true environment variable or by using the deploy.sh script with the -t option:

deploy.sh -t YOUR_TLS_CERTIFICATE

2. Split Ironic API and Conductor via configuration change: While it is an older implementation and not recommended, this approach separates Ironic API and Conductor services. With the services split, the httpd front-end can authenticate connections in place.

Both workarounds provide an additional layer of security to help protect against unauthorized access to the Ironic API.

Conclusion

To safeguard your OpenStack Ironic deployment against CVE-2023-40585 vulnerability exploit, upgrade to capm3-v1.4.3 or newer, or apply one of the workarounds presented above. Ensuring that your Ironic API is properly secured with TLS and authentication mechanisms is crucial for maintaining the confidentiality and integrity of your infrastructure.

Stay up-to-date with the latest security patches and advisories by regularly visiting the OpenStack security page and following security best practices in your OpenStack deployments.

Timeline

Published on: 08/25/2023 21:15:00 UTC
Last modified on: 09/01/2023 21:15:00 UTC