CVE-2024-43803: 
Red Hat Enterprise Linux CoreOS (RHCOS) vulnerability analysis and mitigation

The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. A vulnerability was discovered in versions prior to 0.8.0, 0.6.2, and 0.5.2 where the BareMetalHost (BMH) CRD allows userData, metaData, and networkData to be specified as links to Kubernetes Secrets from any namespace. This vulnerability enables users with access to create or edit a BareMetalHost to potentially exfiltrate secrets from other namespaces (GitHub Advisory).

The vulnerability stems from the BMO's ability to read Secrets from any namespace when specified in the BareMetalHost CRD's Name and Namespace fields. BMO will only read keys named 'value', 'userData', 'metaData', or 'networkData' from the secrets, which somewhat limits the exposure. The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory).

An attacker with permissions to create or edit a BareMetalHost can exfiltrate secrets from other namespaces by using them as configuration data for provisioning hosts. This is particularly concerning for secrets used by other BareMetalHosts in different namespaces. The impact is limited to environments where cluster users have restricted privileges and are not administrators (GitHub Advisory).

The vulnerability has been patched in BMO releases v0.8.0, v0.6.2, and v0.5.2. Users should upgrade to these versions. Before upgrading, any required BMC Secrets should be duplicated to the namespace where the corresponding BMH is located. After upgrading, the old secrets can be removed. As a workaround, operators can configure BMO RBAC to be namespace-scoped for Secrets instead of cluster-scoped, preventing BMO from accessing secrets from other namespaces (GitHub Advisory).