{"body":"❯ cat OSSN-0100 \nCommand Injection in IPA via chroot Execution of Tenant-Controlled binaries\n---\n\n### Summary ###\nTuomo Tanskanen (Ericsson Software Technology) and Dmitry Tantsur (Red Hat)\nfrom the Metal3.io Security Team reported a vulnerability in Ironic Python\nAgent (IPA) when deploying a partition image that lacks boot artifacts.\nA malicious partition image can include crafted grub-install\nbinary or other arbitrary binaries in the chroot path which IPA executes on\nthe provisioning network host. This affects all partition images that\nrequire Ironic to manage the bootloader installation (BIOS-booted nodes\nwithout boot artifacts).\n\nThe practical impact is limited; the attacker needs the ability to supply a\npartition image for bare-metal deployment and at the point of exploitation,\nIPA holds only an outdated agent_token and a heavily redacted node object.\n\nWhole disk images are not affected and partition images that include their\nown EFI boot artifacts at /boot and /efi are not also affected as Ironic\ncopies them without executing grub-install.\n\n### Affected Services / Software ###\n- ironic: >=4.0.0 <29.0.6, >=30.0.0 <32.0.2, >=33.0.0 <35.0.2, >=36.0.0 <37.0.1\n- ironic-python-agent: >=1.0.0 <10.2.3, >=11.0.0 <11.2.1, >=11.3.0 <11.5.1\n\n### Discussion ###\nAs it is not feasible to secure execution of a bootloader install binary\ndue to technical limitations, the Ironic team has chosen to make this feature\noptional and disabled by default in the current development version.\n\nBackported versions of this change do not enable this restriction by default\nto avoid breaking existing installations.\n\nThe vulnerable code path has existed for the entirety of the history of Ironic\nPython Agent, however, there are safeguards in place to preent escalation of\nprivledges from the provisioning network. Additionally, prior to Ironic\n17.0.0, only cloud administrators could supply images for deployment, limiting\nthe impact of this issue.\n\n### Recommended Actions ###\nApply the provided Ironic and Ironic-Python-Agent patches.\n\nEvaluate your use cases; flip ``CONF.agent.enable_bios_bootloader_install``\nto ``False`` once confirming you are not using any partition images relying on\na bootloader installation.\n\n#### Patches ####\nThe following reviews contain the fix for this issue:\n\n##### Ironic #####\n2026.2/hibiscus (development): https://review.opendev.org/c/openstack/ironic/+/990724\n2026.1/gazpacho: https://review.opendev.org/c/openstack/ironic/+/991179\n2025.2/flamingo:\n2025.1/epoxy:\n2024.1/caracal (unmaintained):\n2023.1/antelope (unmaintained):\nbugfix/34.0: \nbugfix/33.0:\n\n##### Ironic Python Agent #####\n2026.2/hibiscus (development): https://review.opendev.org/c/openstack/ironic-python-agent/+/987391\n2026.1/gazpacho: https://review.opendev.org/c/openstack/ironic-python-agent/+/993016\n2025.2/flamingo: https://review.opendev.org/c/openstack/ironic-python-agent/+/993020\n2025.1/epoxy: https://review.opendev.org/c/openstack/ironic-python-agent/+/993024\n2024.1/caracal (unmaintained): https://review.opendev.org/c/openstack/ironic-python-agent/+/993025\n2023.1/antelope (unmaintained): https://review.opendev.org/c/openstack/ironic-python-agent/+/993025\nbugfix/11.3: https://review.opendev.org/c/openstack/ironic-python-agent/+/993464\nbugfix/11.4: https://review.opendev.org/c/openstack/ironic-python-agent/+/993463 \nbugfix/11.6: The change for the development branch merged before this release was made. IPA 11.6.0 is not vulnerable.\n\n### Credits ###\nDmitry Tantsur, Red Hat\nTuomo Tanskanen, Ericsson Software Technology\nMetal3.io Security Team\n\n### Contacts / References ###\nAuthors:\n- Jay Faulkner, G-Research Open Source Software (GR-OSS)\n\nThis OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0099\nOriginal Launchpad bug: https://bugs.launchpad.net/ironic-python-agent/+bug/2148310\nMailing List : [security-sig] tag on openstack-discuss@lists.openstack.org\nOpenStack Security : https://security.openstack.org/\nCVE: CVE-2026-43003\n","name":"OSSN-0100.txt","extension":"txt","url":"https://www.irccloud.com/pastebin/80RN0zcx/OSSN-0100.txt","modified":1781638184,"id":"80RN0zcx","size":3957,"lines":85,"own_paste":false,"theme":"","date":1781638184}