Incus Directory Traversal Vulnerability Leading to Arbitrary File Access and Command Execution

A vulnerability in Incus, a system container and virtual machine manager, allows users to launch containers with custom images to exploit directory traversal or symbolic links in the templating functionality. This issue is present in versions through 6.21.0. The vulnerability enables arbitrary file read and write on the host, ultimately leading to arbitrary command execution. The flaw arises because the source and target paths in the image's metadata.yaml are not properly validated for symbolic links or directory traversal, especially when templates are applied during the container's startup process.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system.

Reproduction

To reproduce this vulnerability, create a container image with a metadata.yaml file that includes templates referencing arbitrary host files. Once the image is imported into Incus, launch a container from it. The specified host files will be read into the container, demonstrating the arbitrary file read vulnerability. Additionally, overwrite a critical file on the host that triggers command execution, such as through the core_pattern template, to exploit the vulnerability further.

Remediation

Users are advised to update to Incus versions 6.21.0 or 6.0.6, where this vulnerability has been patched.