Impact
A malicious user who can deploy a node through OpenStack Ironic is able to specify the IPMI send_raw deployment step with arbitrary payloads, allowing the user to send raw IPMI commands to the node’s Baseboard Management Controller. This can result in the execution of privileged commands on the BMC, giving the attacker control over the hardware and potentially enabling unauthorized shutdowns, reboots, firmware manipulations, or denial‑of‑service conditions. The vulnerability is rooted in a lack of proper authorization checks for the send_raw capability, as indicated by the associated CWE-862.
Affected Systems
The vulnerability applies to the OpenStack Ironic project, affecting any deployment that uses the send_raw step in the deployment, cleaning, or servicing workflows. Specific affected versions are not listed in the data, so all releases of Ironic that expose the send_raw interface remain potentially vulnerable until a patch is issued.
Risk and Exploitability
The CVSS v3 score of 6.5 classifies the issue as moderate, yet the potential impact on BMC security is considerable. Exploitation would require the attacker to have authorization to invoke deployment, cleaning, or servicing steps—roles typically reserved for system administrators. Because the EPSS score is unavailable and the vulnerability is not yet listed in CISA’s KEV catalog, the current likelihood of exploitation is uncertain, but the presence of a privileged attack vector warrants careful mitigation. Once an update is released, applying the patch is the most effective countermeasure; until then, limiting users who can trigger these flows and configuring Ironic to reject arbitrary raw IPMI commands are prudent interim steps.
OpenCVE Enrichment