How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability results in a denial-of-service (DoS) condition by allowing an unprivileged user to delete network interfaces of other users' containers in multi-tenant environments. It impacts availability but does not affect confidentiality or integrity of data.

Since the vulnerability does not lead to unauthorized access to or disclosure of personal or sensitive data, its direct impact on compliance with data protection regulations such as GDPR or HIPAA is limited.

However, the disruption of network availability could indirectly affect compliance if it impairs the availability of systems that process or store regulated data, as availability is a key principle in many security frameworks.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

This vulnerability exists in the lxc-user-nic setuid helper of the lxc Linux container runtime. It involves a logic flaw in the find_line() function used during the deletion of network interfaces. Specifically, when lxc-user-nic attempts to authorize a deletion request by scanning its NIC database, it may incorrectly authorize deletion based solely on a matching interface name, without properly verifying ownership, type, or link fields.

Because the authorization check occurs after a goto next label that skips earlier ownership checks, an unprivileged user with a valid lxc-usernet policy can delete OpenVSwitch (OVS)-attached network interfaces belonging to other users. This flaw allows one tenant in a multi-tenant environment to delete another tenant's OVS ports on the same bridge.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The primary impact of this vulnerability is denial of service in multi-tenant environments using lxc-user-nic with OpenVSwitch bridges. An attacker tenant can repeatedly disconnect networking from containers run by other tenants on shared infrastructure by deleting their OVS-attached network interfaces.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is patched in lxc version 7.0.0. Immediate mitigation involves upgrading lxc to version 7.0.0 or later.

Since the issue affects multi-tenant environments using lxc-user-nic with OpenVSwitch bridges, restricting or reviewing the use of lxc-user-nic and its permissions in such environments can help reduce risk until the patch is applied.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves identifying if the system is running a vulnerable version of lxc-user-nic prior to version 7.0.0 and if OpenVSwitch (OVS) bridges are used in a multi-tenant environment.

Since the vulnerability allows an unprivileged user to delete OVS-attached network interfaces belonging to other users, monitoring for unexpected deletions or changes in OVS ports can help detect exploitation attempts.

Suggested commands to help detect or investigate potential exploitation include:

• Check the installed lxc version: `lxc-user-nic --version` or `dpkg -l | grep lxc`
• List OpenVSwitch ports and their owners to identify unexpected changes: `ovs-vsctl list interface` and `ovs-vsctl show`
• Monitor system logs for lxc-user-nic delete commands or errors related to network interface deletions: `journalctl -u lxc-user-nic` or `grep lxc-user-nic /var/log/syslog`
• Audit user commands or use process accounting to detect unauthorized usage of lxc-user-nic delete.

Useful 0 Not Useful 0