Ubuntu 15.10 / 16.04 LTS : lxd vulnerabilities (USN-2988-1)

Low Nessus Plugin ID 91424


The remote Ubuntu host is missing a security-related patch.


Robie Basak discovered that LXD incorrectly set permissions when setting up a loop based ZFS pool. A local attacker could use this issue to copy and read the data of any LXD container. (CVE-2016-1581)

Robie Basak discovered that LXD incorrectly set permissions when switching an unprivileged container into privileged mode. A local attacker could use this issue to access any world readable path in the container directory, including setuid binaries. (CVE-2016-1582).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.


Update the affected lxd package.

Plugin Details

Severity: Low

ID: 91424

File Name: ubuntu_USN-2988-1.nasl

Version: $Revision: 2.4 $

Type: local

Agent: unix

Published: 2016/06/01

Modified: 2016/12/01

Dependencies: 12634

Risk Information

Risk Factor: Low


Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:U/RL:OF/RC:C


Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:canonical:ubuntu_linux:lxd, cpe:/o:canonical:ubuntu_linux:15.10, cpe:/o:canonical:ubuntu_linux:16.04

Required KB Items: Host/cpu, Host/Ubuntu, Host/Ubuntu/release, Host/Debian/dpkg-l

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2016/05/31

Reference Information

CVE: CVE-2016-1581, CVE-2016-1582

OSVDB: 139314, 139315

USN: 2988-1