Incus Nil-Pointer Dereference Vulnerability in Custom Volume Import Leading to Denial-of-Service

A nil-pointer dereference vulnerability has been identified in Incus, a system container and virtual machine manager, in versions prior to 7.0.0. This vulnerability allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash, leading to a denial-of-service condition on the affected node. The issue arises from missing validation logic in the storage volume import process, where the daemon assumes that all entries in the volume snapshots array are initialized. Exploitation involves supplying a backup archive with a null entry in the volume snapshots array, causing the daemon to dereference a nil pointer and terminate the service.

Impact

Exploitation of this vulnerability causes the Incus daemon to crash, leading to a denial-of-service condition on the affected node. This can be repeated to keep Incus offline, causing prolonged service disruption.

Reproduction

To reproduce this vulnerability, create a custom volume backup archive that includes a null entry in the volume_snapshots array. This can be done by crafting an index.yaml file that specifies a snapshot name while including a null entry in the volume_snapshots array. After creating the archive, import it into a valid storage pool using an Incus client with permission to import custom volumes. The daemon will crash with a nil-pointer dereference error, which can be verified by checking the service logs.

Remediation

Users are advised to update to Incus version 7.0.0 or later, where this vulnerability has been fixed.