Canonical LXD Wildcard Fingerprint Error Handling Vulnerability Allowing Project Existence Enumeration

A vulnerability in Canonical LXD's image export API prior to versions 6.5 and 5.21.4 on Linux allows network attackers to determine the existence of projects without authentication. This is achieved by sending crafted requests that exploit wildcard fingerprint matching, leading to inconsistent error responses that reveal project status. When multiple images match a wildcard fingerprint in an existing project, the API returns a 500 error, while a non-existent project results in a 404 error. This discrepancy can be used to enumerate projects by brute-forcing project names.

Impact

Exploitation of this vulnerability allows for unauthorized confirmation of project existence within the LXD system, which could facilitate the exploitation of other vulnerabilities. Additionally, the leakage of project names could expose unpublished product information.

Reproduction

To reproduce this vulnerability, send a request to the LXD image export API endpoint with a wildcard pattern that matches multiple images in an existing project. The response will indicate a 500 error, confirming the project's existence. In contrast, sending a similar request to a non-existent project will result in a 404 error, demonstrating the vulnerability's potential for project enumeration.

Remediation

Users are advised to update to LXD versions 6.5 or 5.21.4. For projects still on LXD 5.0 or 4.0, no action is required as the vulnerability is not critical.