CVE-2025-54289
📋 TL;DR
This vulnerability allows attackers with read permissions in Canonical LXD to hijack terminal or console sessions via WebSocket connection hijacking, enabling arbitrary command execution and privilege escalation. It affects LXD installations on multiple platforms where users have read access to the operations API. This poses significant risk to container management environments.
💻 Affected Systems
- Canonical LXD
📦 What is this software?
Lxd by Canonical
Lxd by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise where attacker gains root privileges on the host system, potentially accessing all containers and host resources.
Likely Case
Privilege escalation from low-privileged user to root within LXD context, allowing container escape and unauthorized access to other containers.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized users from reaching LXD API endpoints.
🎯 Exploit Status
Requires read permissions to LXD operations API and ability to establish WebSocket connections.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5 or later
Vendor Advisory: https://github.com/canonical/lxd/security/advisories/GHSA-3g72-chj4-2228
Restart Required: Yes
Instructions:
1. Update LXD to version 6.5 or later using your package manager. 2. Restart LXD service. 3. Verify the update was successful.
🔧 Temporary Workarounds
Restrict API Access
linuxLimit access to LXD operations API endpoints to only trusted users and networks.
# Configure firewall rules to restrict access to LXD API ports
# Review and tighten LXD user permissions
Disable Unnecessary Features
linuxDisable terminal/console features if not required in your environment.
# Configure LXD to disable interactive console features if not needed
🧯 If You Can't Patch
- Implement strict network segmentation to isolate LXD API from untrusted networks
- Apply principle of least privilege - remove read permissions from non-essential users
🔍 How to Verify
Check if Vulnerable:
Check LXD version with 'lxd --version' or 'snap info lxd' if installed via snap. Compare against vulnerable versions (<6.5).Check Version:
lxd --versionVerify Fix Applied:
Confirm LXD version is 6.5 or higher and test that terminal/console sessions cannot be hijacked by users with only read permissions.📡 Detection & Monitoring
Log Indicators:
- Unauthorized WebSocket connection attempts to operations API
- Unexpected terminal session creations
- Privilege escalation attempts in LXD logs
Network Indicators:
- Suspicious WebSocket traffic to LXD API endpoints from unauthorized sources
- Unexpected command execution patterns
SIEM Query:
source="lxd.log" AND ("WebSocket hijack" OR "unauthorized session" OR "privilege escalation")