Root Cause Analysis
The vulnerability lies in OpenStack Cyborg's policy definitions located in cyborg/common/policy.py. Multiple API endpoints used the default policy rule:allow, which translates to '@'. This setting unconditionally granted access to any user with a valid Keystone authentication token, irrespective of their roles or project affiliations. Consequently, any authenticated user could perform sensitive actions such as viewing detailed hardware information, reprogramming FPGAs, and modifying hardware metadata. The patch addresses this critical security flaw by replacing the overly permissive rule:allow with more stringent, role-based access controls like rule:admin_api and rule:project_member_or_admin. The identified vulnerable functions are the controller methods that handle the API requests for these misconfigured endpoints. An attacker exploiting this vulnerability would have their actions logged against these functions in a runtime profiler or stack trace.
Vulnerable functions
ARQsController.postcyborg/api/controllers/v2/arqs.py
This function, responsible for creating accelerator requests, was vulnerable because its corresponding policy 'cyborg:arq:create' was set to 'rule:allow', permitting any authenticated user to create requests. The patch changes this to 'rule:project_member_or_admin', restricting access to users with appropriate project roles.
DevicesController.get_onecyborg/api/controllers/v2/devices.py
This function for retrieving details of a specific device was exposed to any authenticated user due to the 'rule:allow' policy on 'cyborg:device:get_one'. The fix restricts this to administrators by changing the policy to 'rule:admin_api'.
DevicesController.get_allcyborg/api/controllers/v2/devices.py
Listing all devices was open to any authenticated user because the 'cyborg:device:get_all' policy was set to 'rule:allow'. The patch secures this by changing the policy to 'rule:admin_api', limiting access to administrators.
DeployablesController.get_onecyborg/api/controllers/v2/deployables.py
This function, which shows details of a specific deployable, was insecurely configured with 'rule:allow' for the 'cyborg:deployable:get_one' policy. The patch corrects this by applying 'rule:admin_api', thereby restricting access to administrators.
DeployablesController.get_allcyborg/api/controllers/v2/deployables.py
Any authenticated user could list all deployable records because the 'cyborg:deployable:get_all' policy was set to 'rule:allow'. The vulnerability was fixed by changing the policy to 'rule:admin_api', ensuring only administrators can access this information.
DeployablesController.patchcyborg/api/controllers/v2/deployables.py
The 'program' action on deployables, which can be used to reprogram FPGAs, was exposed to any authenticated user through the 'cyborg:deployable:program' policy's use of 'rule:allow'. The patch mitigates this by changing the policy to 'rule:admin_api', restricting this sensitive operation to administrators.
AttributesController.get_onecyborg/api/controllers/v2/attributes.py
Details of a specific attribute could be retrieved by any authenticated user, as the 'cyborg:attribute:get_one' policy was set to 'rule:allow'. The fix changes this to 'rule:admin_api', restricting access to administrators.
AttributesController.get_allcyborg/api/controllers/v2/attributes.py
The 'cyborg:attribute:get_all' policy was set to 'rule:allow', allowing any authenticated user to list all attribute records. The patch addresses this by changing the policy to 'rule:admin_api', limiting this functionality to administrators.
AttributesController.postcyborg/api/controllers/v2/attributes.py
This function for creating attribute records was vulnerable due to the 'cyborg:attribute:create' policy being set to 'rule:allow'. The patch secures this by changing the policy to 'rule:admin_api', ensuring only administrators can create attributes.
AttributesController.deletecyborg/api/controllers/v2/attributes.py
Deletion of attribute records was permitted for any authenticated user because the 'cyborg:attribute:delete' policy was set to 'rule:allow'. The fix changes this to 'rule:admin_api', restricting this action to administrators.
