Incus Unbounded Binary Import Disk Exhaustion Vulnerability Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in Incus, a system container and virtual machine manager, prior to version 7.0.0. The issue arises when authenticated users upload large amounts of data, which can exhaust the server's disk space and potentially disrupt the host system. This vulnerability is less impactful for users with 'storage.images_volume' and 'storage.backups_volume' configurations, as large uploads would be directed to those volumes instead of the host filesystem. However, in multi-tenant environments, this issue could be exploited to consume shared disk space, leading to service disruptions.

Impact

Exploitation of this vulnerability can cause the Incus server to run out of disk space, potentially taking down the host system. In multi-tenant deployments, this could lead to shared disk space exhaustion and cause denial-of-service on the node.

Reproduction

The vulnerability can be reproduced by initiating a long-lived upload of application/octet-stream data, such as null bytes, to the Incus instance import endpoint. This can be done using a tool like 'curl' to send a continuous stream of data while keeping the connection open. Monitoring the host's temporary backup directory will show the disk space being consumed by the uploaded data.

Remediation

Users can update to Incus version 7.0.0 or later, where this vulnerability has been patched.