Bug 2275847 (CVE-2024-31463) - CVE-2024-31463 ironic-image: Unauthenticated local access to Ironic API
Summary: CVE-2024-31463 ironic-image: Unauthenticated local access to Ironic API
Keywords:
Status: NEW
Alias: CVE-2024-31463
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2275846
TreeView+ depends on / blocked
 
Reported: 2024-04-18 02:33 UTC by Patrick Del Bello
Modified: 2024-05-23 18:11 UTC (History)
5 users (show)

Fixed In Version: ironic-image 24.1.1
Doc Type: ---
Doc Text:
A vulnerability was found in Ironic-image. This issue occurs when setting IRONIC_REVERSE_PROXY_SETUP to 'true', which may allow unauthenticated local access to the Ironic API private port without authentication.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:2068 0 None None None 2024-05-02 14:23:25 UTC
Red Hat Product Errata RHSA-2024:2668 0 None None None 2024-05-09 16:50:13 UTC
Red Hat Product Errata RHSA-2024:2782 0 None None None 2024-05-16 18:09:40 UTC
Red Hat Product Errata RHSA-2024:2875 0 None None None 2024-05-23 18:11:27 UTC

Description Patrick Del Bello 2024-04-18 02:33:12 UTC 
Ironic-image is an OpenStack Ironic deployment packaged and configured by Metal3. When the reverse proxy mode is enabled by the `IRONIC_REVERSE_PROXY_SETUP` variable set to `true`, 1) HTTP basic credentials are validated on the HTTPD side in a separate container, not in the Ironic service itself and 2) Ironic listens in host network on a private port 6388 on localhost by default. As a result, when the reverse proxy mode is used, any Pod or local Unix user on the control plane Node can access the Ironic API on the private port without authentication. A similar problem affects Ironic Inspector (`INSPECTOR_REVERSE_PROXY_SETUP` set to `true`), although the attack potential is smaller there. This issue affects operators deploying ironic-image in the reverse proxy mode, which is the recommended mode when TLS is used (also recommended), with the `IRONIC_PRIVATE_PORT` variable unset or set to a numeric value. In this case, an attacker with enough privileges to launch a pod on the control plane with host networking can access Ironic API and use it to modify bare-metal machine, e.g. provision them with a new image or change their BIOS settings. This vulnerability is fixed in 24.1.1.

https://github.com/metal3-io/ironic-image/commit/48e40bd30d49aefabac6fc80204a8650b13d10b4
https://github.com/metal3-io/ironic-image/pull/494
https://github.com/metal3-io/ironic-image/security/advisories/GHSA-g2cm-9v5f-qg7r
Comment 2 errata-xmlrpc 2024-05-02 14:23:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2068 https://access.redhat.com/errata/RHSA-2024:2068
Comment 3 errata-xmlrpc 2024-05-09 16:50:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:2668 https://access.redhat.com/errata/RHSA-2024:2668
Comment 4 errata-xmlrpc 2024-05-16 18:09:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:2782 https://access.redhat.com/errata/RHSA-2024:2782
Comment 6 errata-xmlrpc 2024-05-23 18:11:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2875 https://access.redhat.com/errata/RHSA-2024:2875
Note You need to log in before you can comment on or make changes to this bug.