Incus Local Privilege Escalation Vulnerability via Custom Storage Volumes

A local privilege escalation vulnerability has been identified in Incus, a system container and virtual machine manager, affecting versions prior to 6.0.6 and 6.19.0. The issue arises when an unprivileged user has root access to a container with an attached custom storage volume that has the 'security.shifted' property enabled, and also has access to the host as an unprivileged user. This vulnerability is most likely to occur in environments using 'incus-user' with the 'incus' group, which provides unprivileged users with restricted access to Incus. In such cases, users could create a custom storage volume with the necessary 'shifted' property, write a setuid binary within the container, and execute it on the host to gain root privileges.

Impact

Exploitation of this vulnerability allows unprivileged users to escalate privileges on the host system, obtaining root access.

Reproduction

To reproduce this vulnerability, launch a container using an Incus version prior to the patched releases. Create a custom storage volume and set the 'security.shifted' property to true. Attach this volume to a container and write a setuid binary that can be executed on the host, thereby gaining root privileges. This can also be done by using 'incus-admin' or root to set up an SSH key in the container, allowing for remote execution of the privilege escalation payload.

Remediation

Users can manually restrict permissions on storage volumes until Incus is updated to version 6.0.6 or 6.19.0. After applying the update, permissions will be automatically corrected. Instructions for updating Incus can be found in the official Incus repository.