4.9

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-43803

CVE-2024-43803: The Bare Metal Operator (BMO) can expose particularly named secrets from other namespaces via BMH CRD

Impact

The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. The BareMetalHost (BMH) CRD allows the userData, metaData, and networkData for the provisioned host to be specified as links to Kubernetes Secrets. There are fields for both the Name and Namespace of the Secret, meaning that the baremetal-operator will read a Secret from any namespace. A user with access to create or edit a BareMetalHost can thus exfiltrate a Secret from another namespace by using it as e.g. the userData for provisioning some host (note that this need not be a real host, it could be a VM somewhere).

Limiting factors

BMO will only read a key with the name value (or userData, metaData, or networkData), so that limits the exposure somewhat. value is probably a pretty common key though. Secrets used by other BareMetalHosts in different namespaces are always vulnerable.

It is probably relatively unusual for anyone other than cluster administrators to have RBAC access to create/edit a BareMetalHost. This vulnerability is only meaningful, if the cluster has users other than administrators and users' privileges are limited to their respective namespaces.

Patches

The patch prevents BMO from accepting links to Secrets from other namespaces as BMH input. Any BMH configuration is only read from the same namespace only.

The problem is patched in BMO releases v0.8.0, v0.6.2 and v0.5.2 and users should upgrade to those versions. Prior upgrading and if needed, duplicate the BMC Secrets to the namespace where the corresponding BMH is. After upgrade, remove the old Secrets.

Workarounds

Operator can configure BMO RBAC to be namespace scoped for Secrets, instead of cluster scoped, to prevent BMO from accessing Secrets from other namespaces.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-43803
https://github.com/metal3-io/baremetal-operator/pull/1929
https://github.com/metal3-io/baremetal-operator/pull/1930
https://github.com/metal3-io/baremetal-operator/pull/1931

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-43803

CVE-2024-43803:

4.9

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/metal3-io/baremetal-operator	go	>= 0.7.0-rc.0, < 0.8.0	0.8.0
github.com/metal3-io/baremetal-operator	go	>= 0.6.0, < 0.6.2	0.6.2
github.com/metal3-io/baremetal-operator	go	< 0.5.2	0.5.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from BMO's ability to read Secrets from any namespace when processing BareMetalHost resources. The key function responsible for fetching secret data (getSecretData in host_config_data.go) lacked namespace validation in vulnerable versions. The patch adds an explicit check comparing the secret's namespace with the host's namespace, which is visible in the commit diff for host_config_data.go. The test cases added in host_config_data_test.go validate this behavior by testing cross-namespace secret references, confirming this was the attack vector. The function's role in secret retrieval and the missing namespace check directly map to the vulnerability description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-43803: The Bare Metal Operator (BMO) can expose particularly named secrets from other namespaces via BMH CRD

Impact

Limiting factors

Patches

Workarounds

References

CVE-2024-43803:

4.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

CVE-2024-43803: The Bare Metal Operator (BMO) can expose particularly named secrets from other namespaces via BMH CRD

Impact

Limiting factors

Patches

Workarounds

References

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

4.9

4.9

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI