Incus Nil-Pointer Dereference Vulnerability Leading to Denial-of-Service

A nil-pointer dereference vulnerability has been identified in Incus, a system container and virtual machine manager, in versions prior to 7.0.0. This vulnerability allows an authenticated user with access to the storage bucket feature to crash the Incus daemon. The issue arises in the backup metadata handling, where the daemon processes the index.yaml file from an imported archive. If the file omits the configuration block, it leads to a nil-pointer dereference, causing the daemon to terminate. This vulnerability can be exploited repeatedly to keep Incus offline, resulting in a denial-of-service condition.

Impact

Exploitation of this vulnerability causes the Incus daemon to crash, leading to a denial-of-service condition on the affected node.

Reproduction

To reproduce this vulnerability, create a malformed bucket backup archive that omits the config section in the index.yaml file. This can be done using a Python script that packages the index.yaml into a tar.gz file. Once the archive is created, import it into a valid storage pool using the 'incus storage bucket import' command. After the import is initiated, the Incus daemon will panic and crash due to the nil-pointer dereference, which can be verified by checking the service logs for the panic error.

Remediation

Users are advised to update to Incus version 7.0.0 or later, where this vulnerability has been fixed.