Canonical LXD Path Traversal Vulnerability Allowing Arbitrary File Read on Host

A path traversal vulnerability has been identified in Canonical LXD 5.0 LTS on Linux, allowing authenticated remote attackers to read arbitrary files from the host system. This issue arises in the log file retrieval function, where insufficient validation of log file names enables the traversal attack via crafted filenames or symbolic links.

Impact

Exploitation of this vulnerability allows for unauthorized reading of files on the LXD host system, potentially including sensitive information such as host configuration files, LXD database files, instance data, and other confidential host information.

Reproduction

The vulnerability can be reproduced by sending a crafted log file name that exploits the path traversal flaw in the validLogFileName function. This can be done through the LXD-UI by creating a symbolic link within a container that points to a sensitive file, and then using the log file retrieval function to access the file on the host.

Remediation

Users are advised to upgrade to LXD 5.21.4 or LXD 6.5, where this vulnerability has been fixed.