Miha Purg

Name of the Vulnerable Software and Affected Versions Canonical LXD versions 4.12 through 6.7 Description Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in the `isVMLowLevelOptionForbidden` function (lxd/project/limits/permissions.go). This denylist omits `raw.apparmor` and `raw.qemu.conf` from the keys blocked under the `restricted.virtual-machines.lowlevel=block` project restriction. A remote attacker with `can edit` permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration. This allows bridging the LXD Unix socket into the guest VM, potentially leading to privilege escalation to LXD cluster administrator and subsequently to host root. Recommendations Update to a version beyond 6.7. As a temporary workaround, restrict `can edit` permissions on VM instances within restricted projects.

Name of the Vulnerable Software and Affected Versions Canonical LXD versions prior to 6.8 Description Canonical LXD versions prior to 6.8 have an issue where the backup import path validates project restrictions against `backup/index.yaml` within a supplied tar archive, but instance creation is based on `backup/container/backup.yaml`, which is not subject to the same project restrictions. This allows an authenticated remote attacker with instance creation permissions in a restricted project to bypass project restrictions by crafting a malicious backup archive where `backup.yaml` contains restricted settings, such as `security.privileged=true` or `raw.lxc` directives, potentially leading to full host compromise. Recommendations Update to version 6.8 or later.

Name of the Vulnerable Software and Affected Versions Canonical LXD versions 4.12 through 6.7 Description Canonical LXD versions 4.12 through 6.7 contain a flaw in the `doCertificateUpdate` function within `lxd/certificates.go`. This function fails to validate the `Type` field when processing PUT or PATCH requests to the `/1.0/certificates/{fingerprint}` API endpoint for restricted TLS certificate users. This allows a remote authenticated attacker to potentially escalate privileges to cluster admin. Recommendations Update LXD to a version later than 6.7.

**Name of the Vulnerable Software and Affected Versions** Email-MIME versions prior to 1.954 **Description** An excessive memory use issue exists in Email-MIME, which can cause denial of service when parsing multipart MIME messages. The issue is related to excessive depth and the total number of parts in these messages. **Recommendations** For versions prior to 1.954, update to version 1.954 or later to resolve the issue. As a temporary workaround, consider limiting the depth and total number of parts when parsing multipart MIME messages to minimize the risk of denial of service.