CVE-2016-4985
openstack-ironic: Ironic Node information including credentials exposed to unauthenticated users
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The ironic-api service in OpenStack Ironic before 4.2.5 (Liberty) and 5.x before 5.1.2 (Mitaka) allows remote attackers to obtain sensitive information about a registered node by leveraging knowledge of the MAC address of a network card belonging to that node and sending a crafted POST request to the v1/drivers/$DRIVER_NAME/vendor_passthru resource.
El servicio ironic-api en OpenStack Ironic en versiones anteriores a 4.2.5 (Liberty) y 5.x en versiones anteriores a 5.1.2 (Mitaka) permite a atacantes remotos obtener información sensible sobre un nodo registro aprovechando el conocimiento de la dirección MAC de una tarjeta de red que pertenece a ese nodo y enviar una petición POST manipulada para el recurso v1/drivers/$DRIVER_NAME/vendor_passthru.
An authentication vulnerability was found in openstack-ironic. A client with network access to the ironic-api service could bypass OpenStack Identity authentication, and retrieve all information about any node registered with OpenStack Bare Metal. If an unprivileged attacker knew (or was able to guess) the MAC address of a network card belonging to a node, the flaw could be exploited by sending a crafted POST request to the node's /v1/drivers/$DRIVER_NAME/vendor_passthru resource. The response included the node's full details, including management passwords, even if the /etc/ironic/policy.json file was configured to hide passwords in API responses.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-05-24 CVE Reserved
- 2016-07-05 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-290: Authentication Bypass by Spoofing
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2016/06/21/6 | Mailing List |
|
| https://review.openstack.org/332195 | X_refsource_confirm | |
| https://review.openstack.org/332196 | X_refsource_confirm | |
| https://review.openstack.org/332197 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2016:1377 | 2023-02-12 | |
| https://access.redhat.com/errata/RHSA-2016:1378 | 2023-02-12 | |
| https://bugs.launchpad.net/ironic/+bug/1572796 | 2023-02-12 | |
| https://access.redhat.com/security/cve/CVE-2016-4985 | 2016-07-04 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1346193 | 2016-07-04 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 7.0 Search vendor "Redhat" for product "Openstack" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 8 Search vendor "Redhat" for product "Openstack" and version "8" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Openstack Ironic Search vendor "Canonical" for product "Openstack Ironic" | <= 4.2.4 Search vendor "Canonical" for product "Openstack Ironic" and version " <= 4.2.4" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Openstack Ironic Search vendor "Canonical" for product "Openstack Ironic" | 5.1.0 Search vendor "Canonical" for product "Openstack Ironic" and version "5.1.0" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Openstack Ironic Search vendor "Canonical" for product "Openstack Ironic" | 5.1.1 Search vendor "Canonical" for product "Openstack Ironic" and version "5.1.1" | - |
Affected
| ||||||