Описание
Ironic-image is an OpenStack Ironic deployment packaged and configured by Metal3. When the reverse proxy mode is enabled by the IRONIC_REVERSE_PROXY_SETUP variable set to true, 1) HTTP basic credentials are validated on the HTTPD side in a separate container, not in the Ironic service itself and 2) Ironic listens in host network on a private port 6388 on localhost by default. As a result, when the reverse proxy mode is used, any Pod or local Unix user on the control plane Node can access the Ironic API on the private port without authentication. A similar problem affects Ironic Inspector (INSPECTOR_REVERSE_PROXY_SETUP set to true), although the attack potential is smaller there. This issue affects operators deploying ironic-image in the reverse proxy mode, which is the recommended mode when TLS is used (also recommended), with the IRONIC_PRIVATE_PORT variable unset or set to a numeric value. In this case, an attacker with enough privileges to launch a pod on the control plane with host networking can access Ironic API and use it to modify bare-metal machine, e.g. provision them with a new image or change their BIOS settings. This vulnerability is fixed in 24.1.1.
A vulnerability was found in Ironic-image. This issue occurs when setting IRONIC_REVERSE_PROXY_SETUP to 'true', which may allow unauthenticated local access to the Ironic API private port without authentication.
Отчет
Red Hat rates this as a low impact vulnerability as expected this should be high complexity and requirements for an attacker to obtain benefits and privileges in an environment.
Меры по смягчению последствий
Below are two mitigations for this vulnerability:
- Switch to using unix sockets for traffic between HTTPD and Ironic/Inspector (recommended). Set the variables IRONIC_PRIVATE_PORT and IRONIC_INSPECTOR_PRIVATE_PORT to the value unix. OR
- Temporarily stop using the reverse proxy mode (set IRONIC_REVERSE_PROXY_SETUP and INSPECTOR_REVERSE_PROXY_SETUP to false).
Дополнительная информация
Статус:
EPSS
4.7 Medium
CVSS3
Связанные уязвимости
Ironic-image is an OpenStack Ironic deployment packaged and configured by Metal3. When the reverse proxy mode is enabled by the `IRONIC_REVERSE_PROXY_SETUP` variable set to `true`, 1) HTTP basic credentials are validated on the HTTPD side in a separate container, not in the Ironic service itself and 2) Ironic listens in host network on a private port 6388 on localhost by default. As a result, when the reverse proxy mode is used, any Pod or local Unix user on the control plane Node can access the Ironic API on the private port without authentication. A similar problem affects Ironic Inspector (`INSPECTOR_REVERSE_PROXY_SETUP` set to `true`), although the attack potential is smaller there. This issue affects operators deploying ironic-image in the reverse proxy mode, which is the recommended mode when TLS is used (also recommended), with the `IRONIC_PRIVATE_PORT` variable unset or set to a numeric value. In this case, an attacker with enough privileges to launch a pod on the control plane
EPSS
4.7 Medium
CVSS3