Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qcG1jLTdwOWMtNHJ4Zs4ABCNa
lxd has a restricted TLS certificate privilege escalation when in PKI mode
Summary
If a server.ca file is present in LXD_DIR at LXD start up, LXD is in "PKI mode". In this mode, all clients must have certificates that have been signed by the CA.
The LXD configuration option core.trust_ca_certificates defaults to false. This means that although the client certificate has been signed by the CA, LXD will additionally add the certificate to the trust store and verify it via mTLS.
When a restricted certificate is added to the trust store in this mode, it's restrictions are not honoured, and the client has full access to LXD.
Details
When authorization was refactored to allow for generalisation (at the time for TLS, RBAC, and OpenFGA, see https://github.com/canonical/lxd/pull/12313), PKI mode did not account for the core.trust_ca_certificates configuration option. When this option is enabled, all CA-signed client certificates are given full access to LXD. This cherry-pick from Incus was added to LXD to fix the issue.
The cherry-pick fixed the immediate issue and allowed full access to LXD for CA-signed client certificates when core.trust_ca_certificates is enabled, but did not consider the behaviour of LXD when core.trust_ca_certificates is disabled.
When core.trust_ca_certificates is false, restrictions that are applied to a certificate should be honoured. Instead, they are being ignored due to the presence of a server.ca file in LXD_DIR.
PoC
# Install/initialize LXD
$ snap install lxd --channel 5.21/stable
$ lxd init --auto
$ lxc config set core.https_address=127.0.0.1:8443
# Use easyrsa for configuring CA: https://github.com/OpenVPN/easy-rsa
$ cp -R /usr/share/easy-rsa "/tmp/pki"
$ export EASYRSA_KEY_SIZE=4096
$ cd /tmp/pki
$ ./easyrsa init-pki
$ echo "lxd" | ./easyrsa build-ca nopass
$ ./easyrsa build-client-full lxd-client nopass
$ cp pki/ca.crt /var/snap/lxd/common/lxd/server.ca
$ cp pki/issued/lxd-client.crt ~/snap/lxd/common/config/client.crt
$ cp pki/private/lxd-client.key ~/snap/lxd/common/config/client.key
# Restart daemon.
$ systemctl reload snap.lxd.daemon
# Add a restricted certificate to the trust store.
$ token="$(lxc config trust add --name ca-test --quiet --restricted)"
$ lxc remote add tls "${token}"
# Our client has a CA-signed certificate, but it is restricted, so the client should not be able to view server config.
$ lxc config get tls: core.https_address
127.0.0.1:8443
Impact
I believe this vulnerability is low impact because PKI mode is:
- Not the standard or recommended mode of operation for LXD.
- While
core.trust_ca_certificatesdefaults to false, we believe that users who enable PKI mode will generally havecore.trust_ca_certificatesenabled to allow for passwordless PKI with CRL revocation (see https://github.com/canonical/lxd/issues/3832). When this mode is enabled, all clients with CA-signed certificates have root access* anyway.
*Note: If a restricted certificate is added before core.trust_ca_certificates is enabled, the certificate becomes unrestricted. We believe this was the original intention of the PR, but this should be changed to disallow any unintended permission change.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qcG1jLTdwOWMtNHJ4Zs4ABCNa
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 8 days ago
Updated: 8 days ago
CVSS Score: 3.8
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
EPSS Percentage: 0.00043
EPSS Percentile: 0.10595
Identifiers: GHSA-jpmc-7p9c-4rxf, CVE-2024-6219
References:
- https://github.com/canonical/lxd/security/advisories/GHSA-jpmc-7p9c-4rxf
- https://nvd.nist.gov/vuln/detail/CVE-2024-6219
- https://github.com/canonical/lxd/pull/12313
- https://pkg.go.dev/vuln/GO-2024-3313
- https://www.cve.org/CVERecord?id=CVE-2024-6219
- https://github.com/advisories/GHSA-jpmc-7p9c-4rxf
Blast Radius: 0.0
Affected Packages
go:github.com/canonical/lxd
Dependent packages: 25Dependent repositories: 1
Downloads:
Affected Version Ranges: < 0.0.0-20240403103450-0e7f2b5bf4d2
Fixed in: 0.0.0-20240403103450-0e7f2b5bf4d2
All affected versions: 0.0.0-20230831071803-b3f644a1c2e3, 0.0.0-20230831121237-1af2f0a4f0d8, 0.0.0-20230831122301-df37eebd8450, 0.0.0-20230901073441-b23c0292f163, 0.0.0-20230901080312-16ec502b1318, 0.0.0-20230901103641-023e4e31c093, 0.0.0-20230904093241-addea19ecc01, 0.0.0-20230904122353-010f6fb8997c, 0.0.0-20230904152157-b113a6cbc9e3, 0.0.0-20230904160058-a977a54025bb, 0.0.0-20230905150901-5938ad989d5f, 0.0.0-20230905155827-047578d681b8, 0.0.0-20230905181304-41707cd7a201, 0.0.0-20230905183532-9753bfc271c7, 0.0.0-20230906070316-f0be0b9da62b, 0.0.0-20230906180525-bbd424b78d32, 0.0.0-20230907154505-db6cec5bfbbf, 0.0.0-20230907175125-07070ec4f964, 0.0.0-20230908200628-227bc5cd75eb, 0.0.0-20230911124201-82b3b0d4a053, 0.0.0-20230912070624-1d38f5d9d8ca, 0.0.0-20230912071027-b3da6fe20693, 0.0.0-20230912094428-9f1e8f4cb306, 0.0.0-20230912121018-46e7c8297bf3, 0.0.0-20230912170532-9d97a60cedd1, 0.0.0-20230913061507-f0a5c0323606, 0.0.0-20230913101255-e1a678aab2c6, 0.0.0-20230913114527-f9db8d521511, 0.0.0-20230913132058-3fe1b0679011, 0.0.0-20230914075744-288dac4b002d, 0.0.0-20230915071655-aa86b8244bb6, 0.0.0-20230915080313-68158489c347, 0.0.0-20230915123906-881163dc7a26, 0.0.0-20230915152527-f4faf3d838eb, 0.0.0-20230915154121-b3fd3c824b5e, 0.0.0-20230915202554-8185f8a7acc1, 0.0.0-20230918100249-998be5af2656, 0.0.0-20230918104700-87fbf8a2beac, 0.0.0-20230918135908-774ad5a88066, 0.0.0-20230918204126-82678b56a630, 0.0.0-20230919074104-fd28846a8e3c, 0.0.0-20230921091703-d7c2a5113344, 0.0.0-20230921150321-79e4136c7d64, 0.0.0-20230922052624-2d8481712055, 0.0.0-20230922131720-618965cf58da, 0.0.0-20230922143838-5c7e84319533, 0.0.0-20230922154101-8a78b655ba2d, 0.0.0-20230924142342-b3e17a96ea3b, 0.0.0-20230925095712-a700a2fc7396, 0.0.0-20230925122558-b8564e463cc1, 0.0.0-20230925180245-8bb5dc0e6822, 0.0.0-20230925202117-188c290d29fc, 0.0.0-20231029190415-18b3c3f349ab, 0.0.0-20231031051956-f61bc3739b84, 0.0.0-20231031160315-447eeea27d98, 0.0.0-20231101233808-96403815db18, 0.0.0-20231102061221-e57a0702e26c, 0.0.0-20231201123857-337b24adab26, 0.0.0-20231203080533-7617d6c7e162, 0.0.0-20231204092102-8f87d18a2865, 0.0.0-20231204093333-9923bc04cda8, 0.0.0-20231204145429-fdc3dc68d9ed, 0.0.0-20231205100600-b06a6703a301, 0.0.0-20231205160015-f7e0bc669ef1, 0.0.0-20231205164416-571c1cbf57cd, 0.0.0-20231205175623-4c8460f80761, 0.0.0-20231205191428-41d5ea920a6a, 0.0.0-20231211092350-688b120a1e07, 0.0.0-20231211100845-09de04f2e79f, 0.0.0-20231211112742-0e4aac486f74, 0.0.0-20231211123743-7294d23f5359, 0.0.0-20231212101442-459484256f5b, 0.0.0-20231212113801-b4c82b11b490, 0.0.0-20231212113931-6b2c9592e968, 0.0.0-20231212131820-00ab49c314c2, 0.0.0-20231212150554-000b1ab2a9e1, 0.0.0-20231214113525-e676fc63c50a, 0.0.0-20240108092319-f3435b041544, 0.0.0-20240108092759-33ab6592a631, 0.0.0-20240108095351-8f920ac525f9, 0.0.0-20240108112534-97792f744ecf, 0.0.0-20240109094929-38ae187ff3d6, 0.0.0-20240115081802-6605050f32f5, 0.0.0-20240117170353-cf9bf2ac0720, 0.0.0-20240117205844-6dc565afb093, 0.0.0-20240118201344-de3f21eeddcf, 0.0.0-20240119094724-5382a2e0709e, 0.0.0-20240119100126-4c05ae43c7e6, 0.0.0-20240119113415-a50a2b36bafb, 0.0.0-20240119113453-4d5ac96bbb45, 0.0.0-20240119133049-4a784760c1ef, 0.0.0-20240119141916-9ffad539f10d, 0.0.0-20240119155232-a7735a9faa4b, 0.0.0-20240119160358-dda97dcbb434, 0.0.0-20240119180521-91efd07d9064, 0.0.0-20240122081125-d3c1928d0c79, 0.0.0-20240122112805-56c051643d53, 0.0.0-20240122132731-675b31b3253d, 0.0.0-20240123104505-1f42fd0d4737, 0.0.0-20240123211146-a89022240be2, 0.0.0-20240124090112-6612e64073cb, 0.0.0-20240125082032-6da9e0ff0540
All unaffected versions: