CVE-2023-40585 : What You Need to Know

A critical vulnerability has been identified in the

ironic-image

container image used to run OpenStack Ironic as part of Metal³. The issue, assigned CVE-2023-40585, allows unauthenticated access to the Ironic API, potentially exposing the system to unauthorized users. Below is a detailed overview of the vulnerability and the necessary mitigation steps.

Understanding CVE-2023-40585

What is CVE-2023-40585?

CVE-2023-40585 highlights a scenario where the Ironic API, when not deployed with TLS and API and Conductor split into separate services, lacks authentication protection. This vulnerability, found in versions prior to

capm3-v1.4.3

, enables unauthorized access to the API, especially when the node is not shielded behind a firewall.

The Impact of CVE-2023-40585

The vulnerability allows malicious actors to access the Ironic API without authentication, potentially leading to unauthorized manipulation of resources or data. This lack of authentication poses a significant security risk to systems running the affected versions of the

ironic-image

container.

Technical Details of CVE-2023-40585

Vulnerability Description

Prior to version

capm3-v1.4.3

, the Ironic API lacks authentication protection when not deployed with TLS and the API and Conductor are not split into separate services. This exposes the API to unauthenticated access, especially when operating on a host network.

Affected Systems and Versions

The vulnerability affects versions of

ironic-image

older than

capm3-v1.4.3

. Systems running these versions without proper TLS deployment and service splitting are vulnerable to unauthenticated access to the Ironic API.

Exploitation Mechanism

Unauthorized users can exploit this vulnerability by accessing the Ironic API over the network without authentication, potentially compromising the security and integrity of the system.

Mitigation and Prevention

Immediate Steps to Take

Operators are advised to apply the available patch included in versions

capm3-v1.4.3

and newer. Alternatively, immediate mitigation can be achieved by configuring TLS for the Ironic API or splitting the API and Conductor services via configuration changes, although the latter is not recommended.

Long-Term Security Practices

To prevent such vulnerabilities, it is crucial to always deploy systems with proper TLS configuration and authentication mechanisms in place. Regular security audits and updates should also be performed to maintain system integrity.

Patching and Updates

It is highly recommended to update to version

capm3-v1.4.3

or newer to eliminate the vulnerability. Ensure all services are configured with proper authentication mechanisms to protect against unauthorized access.