Impact Analysis

The main impact of this vulnerability is a denial of service condition on the Incus control plane API.

An attacker with access to the storage bucket feature can repeatedly crash the Incus daemon, causing the server to remain offline.

While running containers and virtual machines are not affected and will continue to operate, the management and control functions provided by the Incus daemon will be unavailable during the attack.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Incus to version 6.23.0 or later, as this version fixes the issue.

Additionally, restrict user access to the Incus storage bucket feature to prevent unauthorized users from exploiting the specially crafted storage bucket backup attack.

Useful 0 Not Useful 0

Executive Summary

This vulnerability affects Incus, a system container and virtual machine manager. Before version 6.23.0, an attacker with access to the storage bucket feature can create a specially crafted storage bucket backup that causes the Incus daemon to crash.

Repeated exploitation of this flaw can keep the server offline by causing a denial of service on the control plane API.

However, this vulnerability does not affect running workloads, containers, or virtual machines, which will continue to operate normally.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability causes a denial of service (DoS) condition on the Incus daemon, which can keep the server offline and impact the availability of the control plane API.

Since the vulnerability does not impact the confidentiality or integrity of data, and running workloads, containers, and virtual machines remain operational, it primarily affects availability.

In terms of compliance with standards like GDPR or HIPAA, which require ensuring availability of systems and services, this vulnerability could pose a risk to meeting availability requirements.

However, there is no direct information provided about specific compliance impacts or mitigations related to this vulnerability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the Incus daemon (incusd) for crashes or panic logs related to the storage bucket backup restore process.

Specifically, look for panic messages in the daemon logs indicating a runtime error such as: panic: runtime error: slice bounds out of range [14:8] in the TransferManager.UploadAllFiles function.

To detect attempts to exploit this vulnerability, you can check for the presence of specially crafted tar archives being imported into storage pools, especially those containing entries with header names shorter than the expected prefix "backup/bucket/".

Suggested commands to help detect this issue include:

• Check Incus daemon logs for panic messages: sudo journalctl -u incusd | grep panic
• Monitor for daemon crashes or restarts: sudo systemctl status incusd
• If you have access to storage bucket backups, inspect tar archives for suspicious entries with short header names, for example using tar command: tar -tf backup.tar | grep -v '^backup/bucket/'

Useful 0 Not Useful 0