Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <69961bd7-bd21-4ede-b000-cdba3333515f@jvf.cc>
Date: Tue, 16 Jun 2026 13:49:14 -0700
From: Jay Faulkner <jay@....cc>
To: oss-security@...ts.openwall.com
Subject: [OSSN-0100] Ironic: Command Injection in IPA (CVE-2026-43003)

Command Injection in IPA via chroot Execution of Tenant-Controlled binaries
---

### Summary ###
Tuomo Tanskanen (Ericsson Software Technology) and Dmitry Tantsur (Red Hat)
from the Metal3.io Security Team reported a vulnerability in Ironic Python
Agent (IPA) when deploying a partition image that lacks boot artifacts.
A malicious partition image can include crafted grub-install
binary or other arbitrary binaries in the chroot path which IPA executes on
the provisioning network host. This affects all partition images that
require Ironic to manage the bootloader installation (BIOS-booted nodes
without boot artifacts).

The practical impact is limited; the attacker needs the ability to supply a
partition image for bare-metal deployment and at the point of exploitation,
IPA holds only an outdated agent_token and a heavily redacted node object.

Whole disk images are not affected and partition images that include their
own EFI boot artifacts at /boot and /efi are also not affected as Ironic
copies them without executing grub-install.

### Affected Services / Software ###
- ironic: <29.0.6, >=30.0.0 <32.0.2, >=33.0.0 <35.0.2, >=36.0.0 <37.0.0
- ironic-python-agent: <10.2.3, >=11.0.0 <11.2.1, >=11.3.0 <11.5.1

### Discussion ###
As it is not feasible to secure execution of a bootloader install binary
due to technical limitations, the Ironic team has chosen to make this 
feature
optional and disabled by default in the current development version.

Backported versions of this change do not enable this restriction by default
to avoid breaking existing installations.

The vulnerable code path has existed for the entirety of the history of 
Ironic
Python Agent, however, there are safeguards in place to prevent 
escalation of
privileges from the provisioning network. Additionally, prior to Ironic
17.0.0, only cloud administrators could supply images for deployment, 
limiting
the impact of this issue.

### Recommended Actions ###
Apply the provided Ironic and Ironic-Python-Agent patches.

Evaluate your use cases; flip ``CONF.agent.enable_bios_bootloader_install``
to ``False`` on Ironic conductors once confirming you are not using any
partition images relying on a bootloader installation.

#### Patches ####
The following reviews contain the fix for this issue:

##### Ironic #####
2026.2/hibiscus (development): 
https://review.opendev.org/c/openstack/ironic/+/990724
2026.1/gazpacho: https://review.opendev.org/c/openstack/ironic/+/991179
2025.2/flamingo: https://review.opendev.org/c/openstack/ironic/+/993685
2025.1/epoxy: https://review.opendev.org/c/openstack/ironic/+/993684
2024.1/caracal (unmaintained): 
https://review.opendev.org/c/openstack/ironic/+/993686
2023.1/antelope (unmaintained): 
https://review.opendev.org/c/openstack/ironic/+/993687
bugfix/33.0: https://review.opendev.org/c/openstack/ironic/+/993682
bugfix/34.0: https://review.opendev.org/c/openstack/ironic/+/993683
bugfix/37.0: Ironic 37.0.0 is not vulnerable.

##### Ironic Python Agent #####
2026.2/hibiscus (development): 
https://review.opendev.org/c/openstack/ironic-python-agent/+/987391
2026.1/gazpacho: 
https://review.opendev.org/c/openstack/ironic-python-agent/+/993016
2025.2/flamingo: 
https://review.opendev.org/c/openstack/ironic-python-agent/+/993020
2025.1/epoxy: 
https://review.opendev.org/c/openstack/ironic-python-agent/+/993024
2024.1/caracal (unmaintained): 
https://review.opendev.org/c/openstack/ironic-python-agent/+/993025
2023.1/antelope (unmaintained): 
https://review.opendev.org/c/openstack/ironic-python-agent/+/993026
bugfix/11.3: 
https://review.opendev.org/c/openstack/ironic-python-agent/+/993464
bugfix/11.4: 
https://review.opendev.org/c/openstack/ironic-python-agent/+/993463
bugfix/11.6: IPA 11.6.0 is not vulnerable.

### Credits ###
Dmitry Tantsur, Red Hat
Tuomo Tanskanen, Ericsson Software Technology
Metal3.io Security Team

### Contacts / References ###
Authors:
- Jay Faulkner, G-Research Open Source Software (GR-OSS)

This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0100
Original Launchpad bug: 
https://bugs.launchpad.net/ironic-python-agent/+bug/2148310
Mailing List : [security-sig] tag on openstack-discuss@...ts.openstack.org
OpenStack Security : https://security.openstack.org/
CVE: CVE-2026-43003


Download attachment "OpenPGP_0x6B75D939B424C6D4.asc" of type "application/pgp-keys" (6373 bytes)

Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (496 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.