Incus, a system container and virtual machine manager, provides an API to retrieve VM screenshots by having QEMU write to a temporary file in /tmp, which Incus then reads and deletes. Versions of Incus prior to 6.23.0 use predictable file paths for these temporary screenshot files. This predictability allows a local attacker with some privileges to pre-create symbolic links at these paths. When Incus attempts to write the screenshot, it follows the symlink, potentially writing to arbitrary files. On most Linux systems, the kernel enforces the protected_symlinks feature, which prevents following symlinks in /tmp owned by other users, resulting in permission denied errors and blocking exploitation. However, on systems where protected_symlinks is disabled, Incus can be tricked into truncating and modifying the mode and permissions of arbitrary files. This can lead to denial of service by corrupting critical files or local privilege escalation by altering permissions on sensitive files. The vulnerability is tracked as CWE-61 (Improper Handling of Symbolic Links). Exploitation requires local access and some privileges but no user interaction. The issue is fixed in Incus version 6.23.0 by presumably using safer temporary file handling mechanisms that avoid predictable paths or symlink following.

The vulnerability allows local attackers to manipulate arbitrary files on the filesystem by exploiting Incus's predictable temporary file usage and symlink following. This can lead to denial of service by corrupting or truncating important files, potentially disrupting container or VM operations. More critically, it can enable local privilege escalation by changing file permissions, allowing attackers to gain higher privileges on the host system. Organizations running vulnerable versions of Incus on Linux systems without protected_symlinks enabled are at risk. Since Incus is used in container and VM management, exploitation could compromise the isolation and security of virtualized environments, impacting cloud providers, hosting services, and enterprises relying on containerization. The requirement for local access limits remote exploitation but insider threats or compromised accounts could leverage this vulnerability. The medium CVSS score reflects moderate impact and exploitation complexity.

The primary mitigation is to upgrade Incus to version 6.23.0 or later, which addresses the vulnerability by changing how temporary files are handled. For environments where immediate upgrade is not possible, administrators should ensure that the Linux kernel's protected_symlinks feature is enabled and enforced, as it effectively blocks exploitation by preventing symlink following in /tmp. Additionally, restrict local user privileges to minimize the ability of untrusted users to create symlinks in /tmp or access Incus APIs. Implement strict access controls and monitoring on systems running Incus to detect suspicious symlink creation or file modifications. Consider using filesystem namespaces or mandatory access controls (e.g., SELinux, AppArmor) to limit Incus's file system interactions. Regularly audit and monitor /tmp directory usage and permissions to detect potential symlink attacks. Finally, educate system administrators about the risks of disabling kernel security features like protected_symlinks.