Canonical LXD Cross-Site Request Forgery Vulnerability in LXD-UI

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the LXD-UI component of Canonical LXD, affecting versions 5.0 and later. This vulnerability allows an attacker to create and start container instances without the user's consent by exploiting client certificate authentication. The issue arises because the SameSite cookie attribute, which prevents CSRF attacks, does not apply to client certificates. As a result, LXD's API can be manipulated through crafted HTML form submissions, bypassing standard cross-origin protections.

Impact

Exploitation of this vulnerability could lead to unauthorized creation and initiation of container instances. Depending on the user's permissions, it may also allow execution of arbitrary commands within the newly created containers, using cloud-init.

Reproduction

To reproduce this vulnerability, first prepare a malicious website that the victim will visit. This site should host an HTML form that automatically submits a request to the LXD API to create and start a container instance. The form must be set to send data as 'text/plain', which LXD's API will incorrectly parse as JSON, due to a vulnerability in LXD's handling of request content types. After the form is submitted, the instance will be created and started on the victim's LXD server, taking advantage of the client's certificate authentication.

Remediation

Users can update to LXD versions 6.5, 5.21.4, or 5.0.5, where this vulnerability has been fixed.