Executive Summary

This vulnerability exists in Incus, an open source container and virtual machine manager, in versions prior to 7.0.0. During the image import process, the system issues an outbound HEAD request to a user-supplied URL before checking if the request complies with project restrictions such as restricted image servers.

Specifically, the imgPostURLInfo function sends a HEAD request directly to the attacker-controlled URL to retrieve image metadata. This network request happens before the system enforces policies that would normally block the import.

Although the actual image download is blocked by these restrictions, an authenticated user can exploit this behavior to make the daemon send blind HEAD requests to arbitrary destinations. These requests include custom headers that disclose server metadata, such as server architecture and version, revealing information about the host environment.

This blind Server-Side Request Forgery (SSRF) can be used by an attacker to probe internal services, unreachable network spaces, or cloud metadata endpoints accessible from the host.

The issue was fixed in Incus version 7.0.0.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated user to coerce the Incus daemon into making blind HEAD requests to arbitrary URLs, potentially including internal or sensitive network endpoints.

Because these requests include server metadata in custom headers, an attacker can gain information about the host environment, such as server architecture and version.

This can lead to information disclosure and reconnaissance opportunities for attackers, enabling them to probe internal services, inaccessible network areas, or cloud metadata services that could be leveraged for further attacks.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability has been fixed in Incus version 7.0.0. Immediate mitigation involves upgrading the Incus software to version 7.0.0 or later.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the Incus daemon making outbound HEAD requests to attacker-supplied URLs before validating project restrictions. Detection can focus on monitoring for unusual outbound HEAD requests originating from the Incus service, especially to unexpected or external destinations.

To detect exploitation attempts, you can monitor network traffic for HEAD requests sent by the Incus daemon. For example, using tcpdump or similar tools to capture outbound HTTP HEAD requests may help identify suspicious activity.

• Use tcpdump to capture outbound HEAD requests: tcpdump -i <interface> 'tcp[tcpflags] & tcp-push != 0 and tcp[32:4] = 0x48454144' -w incus_head_requests.pcap
• Alternatively, use tshark to filter HTTP HEAD requests: tshark -i <interface> -Y 'http.request.method == "HEAD"' -T fields -e ip.src -e http.host -e http.request.uri

Additionally, review Incus daemon logs for any unusual image import attempts or requests to external URLs prior to version 7.0.0.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an authenticated user to coerce the daemon into making blind HEAD requests to arbitrary destinations, disclosing server metadata such as host environment information to attacker-controlled endpoints.

Such information disclosure and potential probing of internal services or cloud metadata endpoints could lead to unauthorized access or data exposure, which may impact compliance with standards and regulations that require protection of sensitive data and infrastructure, such as GDPR and HIPAA.

However, the provided context does not explicitly describe the direct impact on compliance with these standards.

Useful 0 Not Useful 0