Canonical LXD Privilege Escalation Vulnerability via WebSocket Connection Hijacking

A privilege escalation vulnerability has been identified in Canonical LXD version 6.5 and in all versions starting from 4.0, excluding 5.21.4. This vulnerability allows an attacker with read permissions to hijack terminal or console sessions by exploiting WebSocket connection secrets obtained from the operations API. Once hijacked, the attacker can execute arbitrary commands within the victim's privileges on the affected instances.

Impact

Exploitation of this vulnerability allows for unauthorized access to terminal or console sessions, where hijackers can execute commands with the privileges of the user whose session was taken over.

Reproduction

To reproduce this vulnerability, log into LXD-UI with an account that has read-only permissions. Open the browser's DevTools and run a JavaScript snippet that captures WebSocket connection secrets from the operations API. This snippet establishes a WebSocket connection to the events API, listens for terminal startup events, and uses the captured secrets to hijack a WebSocket connection for an active terminal session. After hijacking the session, commands can be sent through the WebSocket connection, executing them on the instance with the victim's privileges.

Remediation

WebSocket connection secrets should be excluded from the operations API responses for read-only users. This can be implemented by checking user permissions and omitting the WebSocket-related secrets from the operation metadata for users with limited access.