OpenStack Ironic Boot Script Injection Vulnerability via Unsanitized Kernel Command Line Parameters

A boot script injection vulnerability has been identified in OpenStack Ironic versions 17.0.0 prior to 26.1.7, 27.0.0 prior to 29.0.6, 30.0.0 prior to 32.0.2, and 33.0.0 prior to 35.0.2. This vulnerability allows users with access to modify 'node.driver_info' or 'node.instance_info' to inject crafted values that execute iPXE scripts during the boot process. The issue arises from unsanitized user-controlled data in the kernel command line overrides, which can be exploited to redirect boot processes or access sensitive information.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of iPXE scripts, with potential access to sensitive data such as agent tokens and provisioning network information.

Reproduction

To reproduce this vulnerability, inject control characters or newlines into the 'kernel_append_params' field of 'node.driver_info' or 'node.instance_info'. This will disrupt the normal boot process by introducing malformed kernel command line parameters, which Ironic's deployment engine will reject. The error can be observed in the node's last_error field, which will indicate a failure due to the improper formatting of the kernel command line arguments.

Remediation

Users can update to Ironic versions 2025.1, 2025.2, or 2026.1, where this vulnerability has been patched. For those using the 2024.1 or 2023.1 versions, which are unmaintained, no official patch is available, but the vulnerability can be manually addressed by removing control characters from the 'kernel_append_params' field.