Incus Local Privilege Escalation Vulnerability via Predictable Temporary File Paths

A local privilege escalation vulnerability has been identified in Incus, a system container and virtual machine manager, in versions prior to 6.23.0. The issue arises in the Virtual Machine VGA screenshot handling routine, where the application creates temporary files in the globally writable /tmp directory using predictable paths. This allows an attacker with local access to pre-place symlinks that can be exploited to truncate and alter the permissions of arbitrary files on the filesystem. While most Linux systems have a kernel security feature, 'protected_symlinks', that blocks such attacks, this vulnerability can be exploited on systems where that protection is disabled. The impact may include denial of service, corruption of sensitive files, and unauthorized privilege escalation.

Impact

Exploitation of this vulnerability can lead to unauthorized modification of file ownership and permissions, allowing for the truncation of sensitive files and potential escalation of privileges on the host system.

Reproduction

To reproduce this vulnerability, first disable the kernel's protected symlink feature by writing a value of 0 to '/proc/sys/fs/protected_symlinks'. Next, create a virtual machine in Incus and ensure it is running. Then, pre-place symlinks in the '/tmp' directory that point to a sensitive root-owned file, such as '/root/shadow_trap'. Finally, request a VGA console screenshot through the Incus API, which will trigger the daemon to overwrite the targeted file and change its ownership to the unprivileged VM user.

Remediation

Users can update to Incus version 6.23.0 or later, where this vulnerability has been fixed.