Lack of data validation In incus
Description
Canonical LXD Vulnerable to Privilege Escalation via WebSocket Connection Hijacking in Operations API
Impact
LXD's operations API includes secret values necessary for WebSocket connections when retrieving information about running operations. These secret values are used for authentication of WebSocket connections for terminal and console sessions.
Therefore, attackers with only read permissions can use secret values obtained from the operations API to hijack terminal or console sessions opened by other users. Through this hijacking, attackers can execute arbitrary commands inside instances with the victim's privileges.
Reproduction Steps
Log in to LXD-UI using an account with read-only permissions
Open browser DevTools and execute the following JavaScript code
Note that this JavaScript code uses the /1.0/events API to capture execution events for terminal startup, establishes a websocket connection with that secret, and sends touch /tmp/xxx to the data channel.
(async () => { class LXDEventsSession { constructor(callback) { this.wsBase = `wss://${window.location.host}/1.0/events?type=operation&all-p rojects=true`; this.eventsConn = new WebSocket(this.wsBase); this.eventsConn.onopen = (event) => {...
Have another user (or yourself for testing) start a terminal or console session on an instance At this time, whoever uses the secret first gains session rights, so it's recommended to intentionally slow down communication speed using DevTools' bandwidth throttling feature for verification.
Refresh the attacker's browser tab to stop event listening
Have the victim reopen their terminal/console session and verify:
$ ls -la /tmp/xxx
Risk
Attack conditions require that the attacker has read permissions for the project, the victim (a user with higher privileges) opens a terminal or console session, and the attacker hijacks the WebSocket connection at the appropriate timing. Therefore, while successful attacks result in privilege escalation, the attack timing is very critical, making the realistic risk of attack relatively low.
Countermeasures
As a fundamental countermeasure, it is recommended to exclude WebSocket connection secret information from operations API responses for read-only users. In the current implementation, the operations API returns all operation information (including secret values) regardless of permission level, which violates the principle of least privilege.
Specifically, in lxd/operations.go, user permissions should be checked, and for users with read-only permissions, WebSocket-related secrets (fds field) should be excluded from operation metadata. This prevents attackers from obtaining secret values, making WebSocket connection hijacking impossible.
Patches
LXD Series | Status |
|---|---|
6 | Fixed in LXD 6.5 |
5.21 | Fixed in LXD 5.21.4 |
5.0 | Ignored - Not critical |
4.0 | Ignored - EOL and not critical |
References
Reported by GMO Flatt Security Inc.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 debian 13 | 6.0.4-2+deb13u1 | ||
debian 14 | 6.0.5-1 | ||
debian 12 | - | ||
debian 13 | - | ||
 go | 5.21.4, 6.5, 0.0.0-20250827065555-0494f5d47e41 |
Aliases
References