Ironic-image Reverse Proxy Vulnerability Affects Operators Using TLS
CVE-2024-31463

4.7MEDIUM

Key Information:

Vendor

Metal3-io

Status
Ironic-image
Vendor
CVE Published:
17 April 2024

What is CVE-2024-31463?

Ironic-image is an OpenStack Ironic deployment packaged and configured by Metal3. When the reverse proxy mode is enabled by the IRONIC_REVERSE_PROXY_SETUP variable set to true, 1) HTTP basic credentials are validated on the HTTPD side in a separate container, not in the Ironic service itself and 2) Ironic listens in host network on a private port 6388 on localhost by default. As a result, when the reverse proxy mode is used, any Pod or local Unix user on the control plane Node can access the Ironic API on the private port without authentication. A similar problem affects Ironic Inspector (INSPECTOR_REVERSE_PROXY_SETUP set to true), although the attack potential is smaller there. This issue affects operators deploying ironic-image in the reverse proxy mode, which is the recommended mode when TLS is used (also recommended), with the IRONIC_PRIVATE_PORT variable unset or set to a numeric value. In this case, an attacker with enough privileges to launch a pod on the control plane with host networking can access Ironic API and use it to modify bare-metal machine, e.g. provision them with a new image or change their BIOS settings. This vulnerability is fixed in 24.1.1.

Affected Version(s)

ironic-image < 24.1.1

References

https://github.com/metal3-io/ironic-image/security/adviso...
x_refsource_CONFIRM
https://github.com/metal3-io/ironic-image/pull/494
x_refsource_MISC
https://github.com/metal3-io/ironic-image/commit/48e40bd3...
x_refsource_MISC

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.