CVE-2017-18641: 
LXC vulnerability analysis and mitigation

In LXC (Linux Containers) 2.0, multiple template scripts were found to be downloading code over insecure HTTP connections and lacking digital signature verification before executing the code to bootstrap containers. This vulnerability was assigned CVE-2017-18641 and was publicly disclosed in February 2020 (NVD, Debian Security).

The vulnerability received a CVSS v3.1 Base Score of 8.1 (HIGH) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue affected multiple template scripts including those for CentOS, Cirros, Fedora, Gentoo, OpenMandriva, Oracle, Plamo, SparcLinux, and VoidLinux. These templates either downloaded content over plain HTTP or disabled package signature verification using flags like --nogpgcheck for RPM-based systems (Launchpad Bug).

The vulnerability could allow a man-in-the-middle attacker, web proxy administrator, or other malicious actors to install and execute arbitrary code with root privileges within the container during the container creation process (Launchpad Bug).

The LXC project addressed this issue by moving template scripts to a separate repository (lxc-templates) and developing a new tool called distrobuilder that implements proper HTTPS and GPG support. The new system uses public YAML definitions and either relies on HTTPS for base tarball downloads or includes custom GPG keyrings. All official LXC images are now built using distrobuilder with proper security measures (Launchpad Bug).