Incus Newline Injection Vulnerability Leading to Arbitrary Command Execution

A vulnerability exists in Incus, a system container and virtual machine manager, in versions through 6.20.0. Users who can launch containers with custom YAML configurations (such as members of the 'incus' group) can exploit newline injection in environment variables to add unauthorized configuration items to the container's lxc.conf. This manipulation can introduce arbitrary lifecycle hooks, ultimately allowing for arbitrary command execution on the host. To exploit this issue on IncusOS, a minor adjustment to the payload is required to use a different writable directory for validation, such as /tmp. This can be verified by using a second container with /tmp mounted from the host, a privileged action allowed only for validation purposes.

Impact

Successful exploitation allows for arbitrary command execution as root on the host system.

Reproduction

To reproduce this vulnerability, launch a new container with a configuration file that includes a multiline YAML string as an environment variable value. The injected newline can be used to add hooks in the container's lxc.conf, such as a pre-start hook that executes a command. After the container is launched, the specified command will be executed on the host, demonstrating the exploitation of the vulnerability.

Remediation

Users can update to Incus versions 6.21.0 or 6.0.6, where this vulnerability has been patched.