Canonical LXD Information Disclosure Vulnerability in Images API

A vulnerability allowing information disclosure has been identified in the images API of Canonical LXD, affecting versions prior to 6.5 and 5.21.4 on all platforms. This vulnerability allows unauthenticated remote attackers to determine the existence of projects by exploiting differences in HTTP status code responses. The LXD /1.0/images endpoint, which is accessible without authentication, can be used to confirm project existence based on whether a project is found or not.

Impact

Exploitation of this vulnerability allows for the unauthorized confirmation of project existence within the LXD system, potentially leading to the leakage of unpublished product information, as project IDs often reflect user-defined names. While this vulnerability does not allow access to resource information within projects, the ability to discern project existence could enhance the exploitability of other vulnerabilities.

Reproduction

To reproduce this vulnerability, send an unauthenticated request to the LXD /1.0/images endpoint with a project parameter. If the project does not exist, a 404 status code will be returned. Conversely, if the project exists but the user lacks permission to view it, a 403 status code will be received. This difference in responses can be used to determine whether a project exists.

Remediation

Users are advised to update to LXD versions 6.5 or 5.21.4. For LXD 5.0 and 4.0, which are end-of-life and not critical, no action is necessary.