CVE-2024-6156

Name of the Vulnerable Software and Affected Versions: LXD versions 4.0 through 5.21.1

Description: A security issue was discovered in LXD's PKI mode, where a client's certificate could be used to bypass authentication if the certificate is present in the trust store, even if it is not signed by a trusted certificate authority. This issue affects LXD when it is in PKI mode, which is enabled when a server.ca file is present in LXD DIR at startup. The impact is considered low because PKI mode is unlikely to have a large user base and authentication is not entirely bypassed, as the client certificate must already be trusted. The estimated number of potentially affected devices is not specified.

Technical details about the issue include the fact that the ClientAuth field of tls.Config is set to tls.RequestClientCert, which configures the TLS connection to request a certificate from the client but not require one. If a client sends a non-CA signed certificate during the TLS handshake and the certificate is present in the trust store, the client can authenticate with LXD. This can be demonstrated using a manual client like cURL, which sends the certificate during the handshake.

Recommendations: For LXD versions 4.0 through 5.21.1, update to version 5.21.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the trust store to minimize the risk of exploitation. Additionally, avoid using non-CA signed certificates in PKI mode until the issue is resolved.