Bare Metal Operator BMCEventSubscription Secret Leakage Vulnerability

A vulnerability in the Bare Metal Operator (BMO) allows for the unauthorized access of Secrets across different namespaces. This issue arises when a Kubernetes account with only namespace-level roles creates a BMCEventSubscription that references a Secret in a different namespace, leading to potential Secret leakage. The vulnerability is present in BMO versions prior to 0.8.1 and 0.9.1.

Impact

Exploitation of this vulnerability can result in the unauthorized disclosure of Secrets from one namespace to another, potentially exposing sensitive information.

Reproduction

To reproduce this vulnerability, create a BMCEventSubscription in a namespace where the user has permissions. Reference a Secret from a different, unauthorized namespace in the subscription. Once the subscription is active, the Bare Metal Operator will inadvertently allow access to the referenced Secret, causing it to be leaked into the authorized namespace.

Remediation

Users can upgrade to Bare Metal Operator versions 0.9.1 or 0.8.1, where this vulnerability has been patched. After upgrading, remove any old Secrets that were duplicated to the same namespace as the corresponding Bare Metal Host. As an alternative, BMO can be configured to be namespace-scoped to prevent access to Secrets from other namespaces.