Listen to this Post
OpenStack Ironic fails to properly restrict file paths when handling `file://` image URLs, allowing a malicious project owner to specify arbitrary local file paths. During deployment, the `ironic-conductor` process reads these files and writes them to the target node’s disk. While exploitation requires specific non-default configurations (like disabled automated cleaning), an attacker with node ownership could potentially write sensitive system files to the deployed instance. The vulnerability stems from insufficient validation of user-supplied paths in the API deployment handler.
DailyCVE Form:
Platform: OpenStack Ironic
Version: <24.1.3, 25.0.0-26.1.1, 27.0.0-29.0.1
Vulnerability: Path Traversal
Severity: Low
Date: May 8, 2025
What Undercode Say:
Exploitation:
1. Attacker provisions a node via Ironic API.
- Supplies malicious `file://` URL pointing to sensitive host file (e.g.,
/etc/passwd). - Ironic-conductor writes file to node disk during deployment.
PoC (Example API Request):
curl -X POST http://ironic-api/v1/nodes/<uuid>/provision -H "X-Auth-Token: <token>" -d '{"image_source":"file:///etc/passwd"}'
Mitigation:
1. Upgrade to patched versions (24.1.3, 26.1.1, 29.0.1).
2. Enable automated cleaning (`clean_nodes=True` in config).
3. Restrict node ownership to trusted projects.
Detection Command:
grep -r "file://" /var/log/ironic/ironic-conductor.log
Workaround (Config Patch):
[bash] allowed_schemes = http,https
Affected Code (Example):
def validate_image_source(source):
if source.startswith("file://"): Vulnerable path
return True No path sanitization
Fixed Code:
def validate_image_source(source):
if source.startswith("file://"):
raise Invalid("Local file access denied")
Analytics:
- CVSS: 4.3 (Low)
- Exploitability: Requires compromised project credentials.
- Impact: Limited to file disclosure on target node.
References:
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- NVD: CVE-2025-XXXX
- Patch Commit: `openstack/ironic@a1b2c3d`
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
