Summary
Severity: LOW
Category: toctou_stale_state
File: redfish/src/account/collection.rs:166
Description
For slot-based BMCs, create_account (collection.rs:166-213) scans a snapshot of members captured at collection construction (lines 123-140). Expanded members are never re-fetched (NavProperty::get returns an Arc clone of the snapshot, core/src/nav_property.rs:219-224).
When the chosen slot resource carries no ETag, the PATCH falls back to If-Match: * (bmc-http/src/lib.rs:712-714), which matches any state. Two concurrent creators deterministically select the same free slot; the second PATCH silently overwrites the first's credentials and both callers report success.
Impact
Silent account credential overwrite under concurrent provisioning. The first operator's automation is left unable to authenticate with no error reported.
Exploit Scenario
Two operators or orchestration jobs provision accounts concurrently; both pick the same slot; the second PATCH replaces the first's username/password without any conflict error.
Recommendation
- Re-fetch the candidate slot immediately before the enabling
PATCH and require Enabled == false on the fresh read.
- Never fall back to
If-Match: * for this operation.
- Verify
UserName matches expectations after the PATCH.
Reported by automated scan — 2026-07-11
Summary
Severity: LOW
Category:
toctou_stale_stateFile:
redfish/src/account/collection.rs:166Description
For slot-based BMCs,
create_account(collection.rs:166-213) scans a snapshot of members captured at collection construction (lines 123-140). Expanded members are never re-fetched (NavProperty::getreturns anArcclone of the snapshot,core/src/nav_property.rs:219-224).When the chosen slot resource carries no ETag, the
PATCHfalls back toIf-Match: *(bmc-http/src/lib.rs:712-714), which matches any state. Two concurrent creators deterministically select the same free slot; the secondPATCHsilently overwrites the first's credentials and both callers report success.Impact
Silent account credential overwrite under concurrent provisioning. The first operator's automation is left unable to authenticate with no error reported.
Exploit Scenario
Two operators or orchestration jobs provision accounts concurrently; both pick the same slot; the second
PATCHreplaces the first's username/password without any conflict error.Recommendation
PATCHand requireEnabled == falseon the fresh read.If-Match: *for this operation.UserNamematches expectations after thePATCH.Reported by automated scan — 2026-07-11