CVE-2024-6219: lxd has a restricted TLS certificate privilege escalation when in PKI mode

December 9, 2024 (updated March 20, 2025)

If a server.ca file is present in LXD_DIR at LXD start up, LXD is in “PKI mode”. In this mode, all clients must have certificates that have been signed by the CA.

The LXD configuration option core.trust_ca_certificates defaults to false. This means that although the client certificate has been signed by the CA, LXD will additionally add the certificate to the trust store and verify it via mTLS.

When a restricted certificate is added to the trust store in this mode, it’s restrictions are not honoured, and the client has full access to LXD.

References

github.com/advisories/GHSA-jpmc-7p9c-4rxf
github.com/canonical/lxd
github.com/canonical/lxd/pull/12313
github.com/canonical/lxd/security/advisories/GHSA-jpmc-7p9c-4rxf
nvd.nist.gov/vuln/detail/CVE-2024-6219
pkg.go.dev/vuln/GO-2024-3313
www.cve.org/CVERecord?id=CVE-2024-6219

Code Behaviors & Features

Detect and mitigate CVE-2024-6219 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →