Skip to content

Slot-defined account creation reuses stale snapshot, can silently clobber accounts (TOCTOU) #141

Description

@yoks

Summary

Severity: LOW
Category: toctou_stale_state
File: redfish/src/account/collection.rs:166

Description

For slot-based BMCs, create_account (collection.rs:166-213) scans a snapshot of members captured at collection construction (lines 123-140). Expanded members are never re-fetched (NavProperty::get returns an Arc clone of the snapshot, core/src/nav_property.rs:219-224).

When the chosen slot resource carries no ETag, the PATCH falls back to If-Match: * (bmc-http/src/lib.rs:712-714), which matches any state. Two concurrent creators deterministically select the same free slot; the second PATCH silently overwrites the first's credentials and both callers report success.

Impact

Silent account credential overwrite under concurrent provisioning. The first operator's automation is left unable to authenticate with no error reported.

Exploit Scenario

Two operators or orchestration jobs provision accounts concurrently; both pick the same slot; the second PATCH replaces the first's username/password without any conflict error.

Recommendation

  • Re-fetch the candidate slot immediately before the enabling PATCH and require Enabled == false on the fresh read.
  • Never fall back to If-Match: * for this operation.
  • Verify UserName matches expectations after the PATCH.

Reported by automated scan — 2026-07-11

Metadata

Metadata

Assignees

Labels

bugSomething isn't workinggood first issueGood for newcomers

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Triage

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions