OpenStack Cyborg Policy Bypass Vulnerability in API Endpoints Allowing Unauthorized Access to Hardware Management and FPGA Reprogramming

A vulnerability in OpenStack Cyborg versions prior to 16.0.1 allows authenticated users to bypass access controls on several API endpoints. The default policy 'rule:allow' unconditionally authorizes requests with a valid Keystone token, regardless of roles or project membership. This vulnerability enables users with no role assignments to access sensitive information and perform privileged actions, such as reprogramming FPGA bitstreams on compute nodes and manipulating hardware metadata used by the Placement service.

Impact

Exploitation of this vulnerability allows unauthorized access to hardware inventory and management operations, including FPGA reprogramming and modification of hardware metadata.

Reproduction

The vulnerability can be reproduced by sending requests to the affected API endpoints with a valid Keystone token. This can be done using a script that automates the process, such as the 'reproduce.sh' script available as an attachment in the bug report.

Remediation

Users can update to OpenStack Cyborg versions 16.0.1 or later, where this vulnerability has been fixed. Instructions for applying the update can be found in the OpenStack Cyborg release notes.