Understanding Restricted Certificates and PKI Mode in LXD

2024-12-10

This article dives into a specific configuration within LXD, a container virtualization platform, that can potentially lead to unintended access permissions. Let’s break down the details and understand how it might impact your LXD setup.

What is PKI Mode and How Does it Work?

LXD offers a security mode known as PKI mode. When enabled, it enforces stricter authentication measures. Clients connecting to the LXD instance must possess certificates signed by a trusted Certificate Authority (CA). This ensures only authorized clients with valid certificates can access the system.

The Role of core.trust_ca_certificates Option

LXD offers a configuration option named `core.trust_ca_certificates`. By default, it’s set to `false`. This means even with a valid CA-signed certificate, LXD performs an additional verification step using Mutual TLS (mTLS).

The Issue: Ignoring Restrictions in PKI Mode

The crux of the issue lies in how LXD handles restricted certificates within PKI mode when `core.trust_ca_certificates` is disabled. Ideally, these certificates should have limitations on the level of access they grant. However, due to a configuration oversight, these restrictions are bypassed, allowing full access to the LXD instance.

Impact: Limited Due to PKI Mode Rarity

The report categorizes this vulnerability as low impact for a couple of reasons. Firstly, PKI mode itself isn’t the standard or recommended way to operate LXD. Secondly, even though `core.trust_ca_certificates` defaults to `false`, it’s assumed users enabling PKI mode would likely have it enabled as well. This grants full access regardless of certificate restrictions.

What Undercode Says:

While the impact might be low due to the specific configuration involved, it’s crucial to address potential security gaps. Here’s what we recommend:

Be Mindful of PKI Mode and Trust Certificates: If you choose to utilize PKI mode, ensure `core.trust_ca_certificates` is enabled only if intended. This provides an extra layer of security by verifying certificates through mTLS.
Stay Updated: Keeping your LXD instance updated with the latest patches is vital. This ensures known vulnerabilities like the one described here are addressed.
Consider Alternative Authentication Methods: LXD offers RBAC (Role-Based Access Control) as another authorization option. This method provides more granular control over user permissions, potentially a better fit for scenarios where fine-tuned access is required.

By following these recommendations, you can strengthen your LXD security posture and minimize the chances of unauthorized access. Remember, security is an ongoing process, so staying informed and implementing best practices is key.