THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Fathom (Privacy friendly web analytics)
Zendesk (Helpdesk and Chat)

Ok

Home | EN
Support
CVE
PUBLISHED

CVE-2024-31463

Ironic-image allows unauthenticated local access to Ironic API

AssignerGitHub_M
Reserved2024-04-03
Published2024-04-17
Updated2024-07-05

Description

Ironic-image is an OpenStack Ironic deployment packaged and configured by Metal3. When the reverse proxy mode is enabled by the `IRONIC_REVERSE_PROXY_SETUP` variable set to `true`, 1) HTTP basic credentials are validated on the HTTPD side in a separate container, not in the Ironic service itself and 2) Ironic listens in host network on a private port 6388 on localhost by default. As a result, when the reverse proxy mode is used, any Pod or local Unix user on the control plane Node can access the Ironic API on the private port without authentication. A similar problem affects Ironic Inspector (`INSPECTOR_REVERSE_PROXY_SETUP` set to `true`), although the attack potential is smaller there. This issue affects operators deploying ironic-image in the reverse proxy mode, which is the recommended mode when TLS is used (also recommended), with the `IRONIC_PRIVATE_PORT` variable unset or set to a numeric value. In this case, an attacker with enough privileges to launch a pod on the control plane with host networking can access Ironic API and use it to modify bare-metal machine, e.g. provision them with a new image or change their BIOS settings. This vulnerability is fixed in 24.1.1.



MEDIUM: 4.7CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

Problem types

CWE-288: Authentication Bypass Using an Alternate Path or Channel

Product status

< 24.1.1
affected

References

https://github.com/metal3-io/ironic-image/security/advisories/GHSA-g2cm-9v5f-qg7r

https://github.com/metal3-io/ironic-image/pull/494

https://github.com/metal3-io/ironic-image/commit/48e40bd30d49aefabac6fc80204a8650b13d10b4

cve.org CVE-2024-31463

nvd.nist.gov CVE-2024-31463

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-31463
© Copyright 2024 THREATINT. Made in Cyprus with +