Incus OVN Database Connection TLS Validation Vulnerability Allowing Endpoint Impersonation

A vulnerability exists in Incus, a system container and virtual machine manager, in versions prior to 7.0.0. The issue arises from flawed TLS validation in the Open Virtual Network (OVN) database connection logic, which can enable connections to an attacker's OVN database. This vulnerability is present because the OVN client implementations disable standard TLS server verification and replace it with custom peer-certificate verification that does not properly anchor trust in the configured CA certificate. Instead, it relies on certificates supplied by the peer during the handshake, allowing an attacker to present a rogue self-signed certificate chain that is accepted as valid. This flaw undermines the intended CA-based trust model for OVN database connections, particularly in clustered deployments where it can lead to endpoint impersonation by an active attacker on the management network.

Impact

Exploitation of this vulnerability allows an attacker to impersonate the OVN database endpoint, disrupting the control-plane authentication for OVN database connections. This could have broad networking impacts, especially in clustered OVN deployments where the northbound and southbound databases are critical for network coordination and management.

Reproduction

The vulnerability can be reproduced by configuring an OVN database connection in Incus with a client certificate and a CA certificate. The custom verification logic will accept a rogue certificate that is not properly validated against the CA, demonstrating the flaw in the TLS validation process.

Remediation

Users can upgrade to Incus version 7.0.0 or later, where this vulnerability is fixed.