CVE-2024-31463
Ironic-image allows unauthenticated local access to Ironic API
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Ironic-image allows unauthenticated local access to Ironic API
Ironic-image is an OpenStack Ironic deployment packaged and configured by Metal3. When the reverse proxy mode is enabled by the `IRONIC_REVERSE_PROXY_SETUP` variable set to `true`, 1) HTTP basic credentials are validated on the HTTPD side in a separate container, not in the Ironic service itself and 2) Ironic listens in host network on a private port 6388 on localhost by default. As a result, when the reverse proxy mode is used, any Pod or local Unix user on the control plane Node can access the Ironic API on the private port without authentication. A similar problem affects Ironic Inspector (`INSPECTOR_REVERSE_PROXY_SETUP` set to `true`), although the attack potential is smaller there. This issue affects operators deploying ironic-image in the reverse proxy mode, which is the recommended mode when TLS is used (also recommended), with the `IRONIC_PRIVATE_PORT` variable unset or set to a numeric value. In this case, an attacker with enough privileges to launch a pod on the control plane with host networking can access Ironic API and use it to modify bare-metal machine, e.g. provision them with a new image or change their BIOS settings. This vulnerability is fixed in 24.1.1.
Reserved 2024-04-03 | Published 2024-04-17 | Updated 2024-08-02 | Assigner GitHub_MCWE-288: Authentication Bypass Using an Alternate Path or Channel
github.com/...-image/security/advisories/GHSA-g2cm-9v5f-qg7r
github.com/metal3-io/ironic-image/pull/494
github.com/...ommit/48e40bd30d49aefabac6fc80204a8650b13d10b4
Support options
