OpenStack Ironic Users Urged to Patch Critical Vulnerability (CVE-2024-44082)
OpenStack’s Ironic project, which provisions bare metal machines, has been found vulnerable to a critical security flaw (CVE-2024-44082) that could allow authenticated users to exploit unvalidated image data. This vulnerability, affecting multiple versions of Ironic and the Ironic-Python-Agent (IPA), could lead to unauthorized access to sensitive data through the mishandling of images processed by qemu-img.
The flaw, discovered by security researchers Dan Smith and Julia Kreger of Red Hat, along with Jay Faulkner of G-Research, stems from unvalidated image data being passed to qemu-img during image processing. A specially crafted image could be used by an authenticated attacker to trigger undesired behaviors, potentially leading to the exposure of sensitive information.
The vulnerability affects multiple versions of both Ironic and the Ironic-Python-Agent:
- Ironic: Versions before 21.4.3, between 22.0.0 and 23.0.2, 23.1.0 to 24.1.2, and 25.0.0 to 26.0.1.
- Ironic-Python-Agent: Versions before 9.4.2, between 9.5.0 and 9.7.1, 9.8.0 to 9.11.1, and 9.12.0 to 9.13.1.
To address the CVE-2024-44082 vulnerability, OpenStack has released patches for both Ironic and the Ironic-Python-Agent across all maintained branches, from the Dalmatian development branch to Antelope. These patches introduce code that pre-screens images before they are passed to qemu-img, ensuring that malicious images cannot trigger unauthorized actions.
In situations where the Ironic-Python-Agent cannot be patched, administrators can use the new configuration option [conductor]conductor_always_validates_images, which forces all image downloads to be validated through the Ironic conductor. However, this may result in performance degradation, making it less ideal for high-traffic environments.
As part of the remediation process, administrators are advised to purge cached images. The Ironic image cache should be cleared by stopping the Ironic conductor and removing files from the [pxe]instance_master_path directory.
Additionally, a new configuration option [conductor]permitted_image_formats has been introduced to limit the image formats that Ironic will accept. By default, only raw and qcow2 formats are permitted, as they are the only formats tested and supported by Ironic. While it is possible to expand this list, it is not recommended due to potential security risks.
It is important to note that the OpenStack Ironic project does not support the use of ironic-lib for non-Ironic use cases. Using ironic-lib independently leaves you vulnerable to this exploit. The Ironic project plans to remove the vulnerable methods in ironic-lib in the future.
