Canonical LXD Improper Input Validation in Compression Algorithm Parameter Leading to Authenticated Remote Code Execution

A vulnerability in Canonical LXD exists due to improper validation of the compression_algorithm parameter, allowing an authenticated, unprivileged user to execute commands as the LXD daemon on the server. This issue arises from a flaw in the API handling of image and backup endpoints, where user-supplied input is not adequately sanitized before being processed. The vulnerability affects LXD versions 4.12 through 6.6, with the 4.0/stable channel being unaffected. Exploitation involves sending a crafted compression algorithm that is interpreted as a command, thereby executing it on the server as the LXD daemon.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the host system, executed by the LXD daemon.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the LXD server's image or backup API endpoints, including a malicious payload in the compression_algorithm parameter. The server will execute the payload as a command, taking place on the backend as the LXD daemon.

Remediation

Users can upgrade to LXD versions 5.0.6, 5.21.4, or 6.7. Instructions for upgrading are available in the LXD release notes.