Horizon Alert
Summary of the vulnerability and why it matters
A critical vulnerability has been identified in the Canonical LXD component, specifically within its device management. This issue could allow an unauthorized user within a virtual environment to access and modify the storage volumes of other virtual environments sharing the same LXD instance, provided a specific security setting is enabled. The primary concern at this stage is to confirm if this specific configuration is in use within your environment.
- Access control flaw allows unauthorized storage access.
- Matters if custom storage volumes are in use.
- Confirm relevance and exposure to affected systems.
Attack Path
How an attacker could exploit the issue
An attacker who has already gained access to one LXD guest can exploit this vulnerability by sending a specially crafted device PATCH request. This request targets the devLXDInstancePatchHandler component over the /dev/lxd interface, provided that security.devlxd.management.volumes is enabled. Successful exploitation allows the attacker to mount, read, and overwrite another guest's storage volumes, potentially leading to data compromise and unauthorized modification.
- Requires existing guest access.
- Triggered by a malicious device PATCH request.
- Risk of unauthorized storage access and modification.
Live Threat
Current exploitation, exposure, and threat context
When the `security.devlxd.management.volumes` setting is enabled, an attacker within a guest environment could potentially access, read, or modify the storage volumes of other guests. This could occur through a specially crafted device PATCH request sent to the `/dev/lxd` interface.
- Guest storage volumes.
- Crafted PATCH request to `/dev/lxd`.
- Unauthorized access to other guests.
Operational Fix
Recommended remediation, mitigation, and detection steps
The direct impact of this vulnerability requires an untrusted guest to already have access to the host system and specifically to the `/dev/lxd` interface with `security.devlxd.management.volumes` enabled. Responsibility for addressing this typically falls to platform or infrastructure teams managing the LXD environment, in coordination with security teams for exposure assessment. The first practical step is to identify all LXD instances, confirm if the affected configuration is present and reachable from within guest environments, and then ascertain the owner responsible for each instance to plan remediation.
- Platform and infrastructure teams own the issue.
- Verify `security.devlxd.management.volumes` status.
- Remediate in the next maintenance window.