Obp-Anssi

Name of the Vulnerable Software and Affected Versions: Incus versions 6.12 and 6.13 Description: Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, it generates nftables rules that partially bypass security options `security.mac filtering`, `security.ipv4 filtering`, and `security.ipv6 filtering`. This can lead to ARP spoofing on the bridge and to fully spoof another VM/container on the same bridge. Recommendations: For Incus versions 6.12 and 6.13, apply the patch from commit 254dfd2483ab8de39b47c2258b7f1cf0759231c8 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Incus versions 6.12 through 6.13 Description: Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, it generates nftables rules for local services, such as DHCP and DNS, that partially bypass security options `security.mac filtering`, `security.ipv4 filtering`, and `security.ipv6 filtering`. This can lead to DHCP pool exhaustion and opens the door for other attacks. Recommendations: For versions 6.12 and 6.13, apply the patch available at commit 2516fb19ad8428454cb4edfe70c0a5f0dc1da214 to resolve the issue. As a temporary workaround, consider restricting the use of ACLs on devices connected to a bridge until the patch is applied.