GHSA-x9qq-236j-gj97: 
vulnerability analysis and mitigation

A security vulnerability (GHSA-x9qq-236j-gj97) was discovered in Canonical LXD version 5.19.0, where users with restricted project access could potentially gain root access to the system. The vulnerability exists because the 'shift' property for disk devices is not properly restricted unless 'restricted.devices.disk.paths' is explicitly set. This vulnerability was disclosed on December 5, 2023, and was patched in version 5.20.0 (GitHub Advisory).

The vulnerability stems from a logic flaw in the disk device validation process. When a project is configured with 'restricted=true' and 'restricted.devices.disk=allow', but without setting 'restricted.devices.disk.paths', users can create disk devices with 'shift=true' property. This oversight in the validation logic allows users to mount disk devices with elevated privileges. The issue specifically occurs in the validateEnvironmentSourcePath() function within the disk device implementation (GitHub Advisory).

When exploited, this vulnerability allows users with restricted project access to gain root access on the system. This is achieved by creating a disk device with shift=true and subsequently creating a setuid root executable. The impact is particularly significant as it represents a privilege escalation pathway in environments where user permissions should be restricted (GitHub Advisory).

The vulnerability has been patched in LXD version 5.20.0. For systems running affected versions, administrators should ensure that when allowing disk devices in restricted projects, they explicitly set the 'restricted.devices.disk.paths' configuration to specify allowed path prefixes. This prevents the unrestricted use of the shift property and blocks the privilege escalation vector (GitHub Advisory).