CVE-2025-29781: Security Vulnerability in Bare Metal Operator (BMO) Leads to Secret Leakage and Measures to Counter the Threat
Bare Metal Operator (BMO) is an essential component of the Metal3 project that facilitates the management of bare metal hosts through the implementation of a Kubernetes API. It enables users to load Secret from different namespaces during the deployment of a namespace-scoped Custom Resource known as BMCEventSubscription. However, a security vulnerability exists prior to versions .8.1 and .9.1, which could lead to potential Secret Leakage. In this post, we will discuss the exploit details, the original resources, and the steps to apply the patch and workarounds for this issue.
Exploit Details
An adversary Kubernetes account with only namespace level roles, such as a tenant controlling a namespace, can create a BMCEventSubscription in their authorized namespace. This vulnerability allows the tenant to load Secrets from unauthorized namespaces into their authorized namespace through the Baremetal Operator, thereby leading to Secret Leakage.
Patch Information
The patch essentially prevents BMO from reading Secrets from any namespaces other than the one where the corresponding bare metal host (BMH) resource resides. Although the BMCEventSubscription API in BMO remains unchanged with the implementation of this patch, it introduces stricter validation methods that reject requests at the admission stage. Furthermore, the controller is prevented from reading such Secrets if the BMCES Custom Resource is already deployed.
To apply this patch, users must upgrade to BMO releases v.9.1 or v.8.1. Prior to upgrading, it is essential to duplicate any existing Secret pointed to by BMCEventSubscription's httpHeadersRef into the same namespace where the corresponding BMH exists. Once the upgrade is complete, the old Secrets can be removed safely.
Links to Original References
1. CVE-2025-29781 Original Report
2. Bare Metal Operator GitHub Repository
3. Bare Metal Operator Documentation
Workarounds
In cases where an immediate upgrade to the patched BMO version is not feasible, operators can apply the following workarounds:
1. Configure the BMO RBAC (Role-Based Access Control) to be namespace-scoped instead of cluster-scoped. This action will prevent BMO from accessing Secrets from other namespaces.
2. Use the WATCH_NAMESPACE configuration option to limit BMO's activity to a single namespace, thereby preventing Secret Leakage across multiple namespaces.
Below is a code snippet illustrating the patched BMO version for reference
apiVersion: v1
kind: Secret
metadata:
name: my-bmh-secret
namespace: my-namespace
data:
username: bXl1c2VybmFtZQ==
password: bXlwYXNzd29yZA==
---
apiVersion: metal3.io/v1alpha1
kind: BareMetalHost
metadata:
name: my-bmh
namespace: my-namespace
spec:
bmc:
address: https://host/ipmi
credentialsName: my-bmh-secret
Conclusion
The CVE-2025-29781 vulnerability in the Bare Metal Operator poses a significant risk due to the potential for Secret Leakage. It is critical for operators utilizing BMO versions before .8.1 or .9.1 to rectify this issue by upgrading to the patched versions and implementing workaround measures mentioned above. Not only will this help secure bare metal host management, but it will also provide a more dependable environment for users working within Metal3 deployments.
Timeline
Published on: 03/17/2025 22:15:14 UTC
Last modified on: 03/18/2025 15:16:00 UTC