[OSSA-2026-025] RBAC Bypass in IPMI Raw Command Execution (CVE-2026-54423) 漏洞概述 漏洞编号: CVE-2026-54423 影响版本: OpenStack Ironic 严重程度: Critical 状态: In Progress 描述: 在 Ironic 中, 步骤被有意暴露给操作员使用。然而,在“为节点提供配置”和“可以发送任意 IPMI 命令”之间没有权限区分。 影响范围 受影响组件: OpenStack Ironic 影响用户: 任何能够调用配置步骤的用户都可以发送任意 IPMI raw 字节。 攻击向量: 验证:项目成员具有 权限。在手动/清洁步骤中,权限包括 。 影响: 验证:任意 IPMI 命令可以修改 BMC 用户、网络设置,并实现持久访问。 修复方案 可行性: 可行。添加单独的 策略或将其限制为仅管理员步骤。 副作用: 依赖项目级命令命令访问的用户需要更新策略。 建议: 研究人员建议是合理的。 具体修复: - 在 中添加逻辑,以在任务执行异步时验证用户请求上下文。 - 为清洁/服务步骤添加额外逻辑,在调度程序 worker 中验证步骤。 - 添加默认策略规则以阻止 。 相关补丁 补丁链接: - 0001-WIP-Extend-the-RBAC-policy-matrix-to-steps.patch - 0001-security-block-vendor-send_raw.patch - 0001-security-block-vendor-send_raw.patch 相关 CVE CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution 相关讨论 讨论链接: - 讨论链接 - 讨论链接 相关补丁 补丁链接: - 0001-WIP-Extend-the-RBAC-policy-matrix-to-steps.patch - 0001-security-block-vendor-send_raw.patch - 0001-security-block-vendor-send_raw.patch 相关 CVE CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution 相关讨论 讨论链接: - 讨论链接 - 讨论链接 相关补丁 补丁链接: - 0001-WIP-Extend-the-RBAC-policy-matrix-to-steps.patch - 0001-security-block-vendor-send_raw.patch - 0001-security-block-vendor-send_raw.patch 相关 CVE CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution 相关讨论 讨论链接: - 讨论链接 - 讨论链接 相关补丁 补丁链接: - 0001-WIP-Extend-the-RBAC-policy-matrix-to-steps.patch - 0001-security-block-vendor-send_raw.patch - 0001-security-block-vendor-send_raw.patch 相关 CVE CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution 相关讨论 讨论链接: - 讨论链接 - 讨论链接 相关补丁 补丁链接: - 0001-WIP-Extend-the-RBAC-policy-matrix-to-steps.patch - 0001-security-block-vendor-send_raw.patch - 0001-security-block-vendor-send_raw.patch 相关 CVE CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution 相关讨论 讨论链接: - 讨论链接 - 讨论链接 相关补丁 补丁链接: - 0001-WIP-Extend-the-RBAC-policy-matrix-to-steps.patch - 0001-security-block-vendor-send_raw.patch - 0001-security-block-vendor-send_raw.patch 相关 CVE CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution 相关讨论 讨论链接: - 讨论链接 - 讨论链接 相关补丁 补丁链接: - 0001-WIP-Extend-the-RBAC-policy-matrix-to-steps.patch - 0001-security-block-vendor-send_raw.patch - 0001-security-block-vendor-send_raw.patch 相关 CVE CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution 相关讨论 讨论链接: - 讨论链接 - 讨论链接 相关补丁 补丁链接: - 0001-WIP-Extend-the-RBAC-policy-matrix-to-steps.patch - 0001-security-block-vendor-send_raw.patch - 0001-security-block-vendor-send_raw.patch 相关 CVE CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution 相关讨论 讨论链接: - 讨论链接 - 讨论链接 相关补丁 补丁链接: - 0001-WIP-Extend-the-RBAC-policy-matrix-to-steps.patch - 0001-security-block-vendor-send_raw.patch - 0001-security-block-vendor-send_raw.patch 相关 CVE CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution 相关讨论 讨论链接: - 讨论链接 - 讨论链接 相关补丁 补丁链接: - 0001-WIP-Extend-the-RBAC-policy-matrix-to-steps.patch - 0001-security-block-vendor-send_raw.patch - 0001-security-block-vendor-send_raw.patch 相关 CVE CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution 相关讨论 讨论链接: - 讨论链接 - 讨论链接 相关补丁 补丁链接: - 0001-WIP-Extend-the-RBAC-policy-matrix-to-steps.patch - 0001-security-block-vendor-send_raw.patch - 0001-security-block-vendor-send_raw.patch 相关 CVE CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution 相关讨论 讨论链接: - 讨论链接 - 讨论链接 相关补丁 补丁链接: - 0001-WIP-Extend-the-RBAC-policy-matrix-to-steps.patch - 0001-security-block-vendor-send_raw.patch - 0001-security-block-vendor-send_raw.patch 相关 CVE CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution 相关讨论 讨论链接: - 讨论链接 - 讨论链接 相关补丁 补丁链接: - 0001-WIP-Extend-the-RBAC-policy-matrix-to-steps.patch - 0001-security-block-vendor-send_raw.patch - 0001-security-block-vendor-send_raw.patch 相关 CVE CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution 相关讨论 讨论链接: - 讨论链接 - 讨论链接 相关补丁 补丁链接: - 0001-WIP-Extend-the-RBAC-policy-matrix-to-steps.patch - 0001-security-block-vendor-send_raw.patch - 0001-security-block-vendor-send_raw.patch 相关 CVE CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution CVE-2026-54423: RBAC Bypass in IPMI Raw Command Execution 相关讨论 讨论链接: - 讨论链接 - 讨论链接 相关补丁 补丁链接: - 0001-WIP-Extend-the-RBAC-policy-matrix-to-steps.patch - 0001-security-block-vendor-send_raw.patch - 0001-security-block-vendor-send_raw.patch 相关 CVE CVE-2026-54423: RBAC Bypass in IPMI Raw Command Executio