Canonical LXD Privilege Escalation Vulnerability in TLS Certificate Management

A vulnerability in Canonical LXD versions 4.12 through 6.7 allows remote authenticated attackers to escalate privileges to cluster admin. The issue arises in the 'doCertificateUpdate' function, which fails to properly validate the 'Type' field when processing PUT/PATCH requests to '/1.0/certificates/{fingerprint}' for users with restricted TLS certificates. This oversight enables attackers to manipulate certificate types, bypassing authorization controls and gaining elevated privileges.

Impact

Exploitation of this vulnerability allows restricted TLS certificate users to escalate privileges to cluster admin, with immediate effect and no logging of the permission change.

Reproduction

To reproduce this vulnerability, first create a restricted project and a restricted certificate as an admin. Then, as a restricted user, add a token for authentication and confirm access to the restricted project. Next, update the certificate type from 'client' to 'server' using a PUT/PATCH request. After the type change is confirmed, the project can be set to unrestricted, and a privileged container can be started, leading to root access on the host.

Remediation

Users can update to LXD versions 5.0.7, 5.21.5, 6.8, or 4.0.10.