Summary: OpenStack’s Ironic project has a critical vulnerability (CVE-2024-44082) that allows authenticated users to exploit unvalidated image data, potentially leading to unauthorized access to sensitive information. Patches have been released to mitigate this issue, but administrators are advised to take additional precautions to secure their systems.
Threat Actor: Authenticated Users | authenticated users
Victim: OpenStack Ironic Project | OpenStack Ironic Project
Key Point :
- Critical vulnerability (CVE-2024-44082) allows exploitation of unvalidated image data in Ironic and Ironic-Python-Agent.
- OpenStack has released patches, but administrators should purge cached images and consider new configuration options for enhanced security.
- Using ironic-lib independently poses additional risks, as it is not supported for non-Ironic use cases.
OpenStack’s Ironic project, which provisions bare metal machines, has been found vulnerable to a critical security flaw (CVE-2024-44082) that could allow authenticated users to exploit unvalidated image data. This vulnerability, affecting multiple versions of Ironic and the Ironic-Python-Agent (IPA), could lead to unauthorized access to sensitive data through the mishandling of images processed by qemu-img.
The flaw, discovered by security researchers Dan Smith and Julia Kreger of Red Hat, along with Jay Faulkner of G-Research, stems from unvalidated image data being passed to qemu-img during image processing. A specially crafted image could be used by an authenticated attacker to trigger undesired behaviors, potentially leading to the exposure of sensitive information.
The vulnerability affects multiple versions of both Ironic and the Ironic-Python-Agent:
- Ironic: Versions before 21.4.3, between 22.0.0 and 23.0.2, 23.1.0 to 24.1.2, and 25.0.0 to 26.0.1.
- Ironic-Python-Agent: Versions before 9.4.2, between 9.5.0 and 9.7.1, 9.8.0 to 9.11.1, and 9.12.0 to 9.13.1.
To address the CVE-2024-44082 vulnerability, OpenStack has released patches for both Ironic and the Ironic-Python-Agent across all maintained branches, from the Dalmatian development branch to Antelope. These patches introduce code that pre-screens images before they are passed to qemu-img, ensuring that malicious images cannot trigger unauthorized actions.
In situations where the Ironic-Python-Agent cannot be patched, administrators can use the new configuration option [conductor]conductor_always_validates_images, which forces all image downloads to be validated through the Ironic conductor. However, this may result in performance degradation, making it less ideal for high-traffic environments.
As part of the remediation process, administrators are advised to purge cached images. The Ironic image cache should be cleared by stopping the Ironic conductor and removing files from the [pxe]instance_master_path directory.
Additionally, a new configuration option [conductor]permitted_image_formats has been introduced to limit the image formats that Ironic will accept. By default, only raw and qcow2 formats are permitted, as they are the only formats tested and supported by Ironic. While it is possible to expand this list, it is not recommended due to potential security risks.
It is important to note that the OpenStack Ironic project does not support the use of ironic-lib for non-Ironic use cases. Using ironic-lib independently leaves you vulnerable to this exploit. The Ironic project plans to remove the vulnerable methods in ironic-lib in the future.