OpenStack Ironic Command Injection Vulnerability in IPMI Console Interface

A command injection vulnerability has been identified in OpenStack Ironic versions through 25.0.0. This issue arises when the IPMI console interface is enabled, allowing users to execute arbitrary commands by injecting shell metacharacters into specific fields. The vulnerability exploits the 'driver_info' parameter, which is passed to the 'ipmitool' command without proper sanitization, potentially leading to unauthorized command execution on the Ironic conductor host.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the Ironic conductor host, under the privileges of the 'ironic-conductor' process user.

Reproduction

To reproduce this vulnerability, first ensure that the Ironic deployment has the IPMI console interface enabled, as this vulnerability does not exist in the default configuration. Next, a user with 'baremetal:node:update:driver_info' permissions can inject shell metacharacters into the 'ipmi_address' or similar fields within the 'driver_info' parameter. Once the malicious 'driver_info' is set, the IPMI console can be initiated, triggering the command injection.

Remediation

Users concerned about this vulnerability can disable the IPMI console interface. For those using OpenStack Ironic versions 2026.1, 2025.1, 2025.2, 2024.2, and 2024.1, a patch is available that applies the necessary shell quoting to the console commands, mitigating the injection risk.