Canonical LXD Information Spoofing Vulnerability in devLXD Server

A vulnerability allowing information spoofing has been identified in the devLXD server of Canonical LXD, affecting versions 4.0 and above. This vulnerability allows attackers with root privileges in any container to impersonate other containers and access their metadata, configuration, and device information by spoofing process names in the command line.

Impact

Exploitation of this vulnerability allows for unauthorized access to metadata, configuration, and device information of other containers on the same LXD host, potentially leading to inter-project information leakage in environments with multiple projects running containers.

Reproduction

To reproduce this vulnerability, access the devLXD server from a container with root privileges. Use the 'exec -a' command to spoof the process name as '[lxc monitor]' and send a request through the Unix socket to the LXD host's metadata endpoint, specifying the project and container to impersonate. This will retrieve the metadata of the impersonated container, demonstrating the successful exploitation of the vulnerability.

Remediation

Users can upgrade to LXD versions 6.5 or 5.21.4, where this vulnerability has been fixed.