Listen to this Post
How the CVE works: The OVN client in Incus disables Go’s default TLS server verification (InsecureSkipVerify: true) and replaces it with a custom `VerifyPeerCertificate` callback. This callback does not use the configured CA certificate as a trust anchor. Instead, it extracts all certificates from the peer’s handshake, adds them to a new root pool, and verifies the leaf certificate against that attacker-influenced pool. The configured `tlsCAcert` is parsed and added to a separate pool but is never referenced in the verification decision. An attacker who can intercept or impersonate the OVN database endpoint (e.g., on the management network) can present a self-signed certificate chain. The custom verifier will accept it because the peer-supplied root (the attacker’s own CA) is trusted. No endpoint identity validation (e.g., ServerName) occurs. This breaks CA-anchored mTLS authentication. In clustered OVN-backed Incus deployments, this allows an active man-in-the-middle attacker to replace the northbound or southbound database with a rogue empty database, causing Incus to briefly interact before errors occur. The attack is difficult because the OVN control plane typically runs on the same servers as Incus with no routing, but the logic flaw remains. The affected code appears in ovn_nb.go, ovn_sb.go, ovn_icnb.go, and ovn_icsb.go. A proof-of-concept Go harness reproduces the logic and accepts a rogue self-signed certificate, confirming the vulnerability.
DailyCVE form:
Platform: Incus
Version: 6.22.0
Vulnerability: TLS validation bypass
Severity: medium
date: 2026-05-04
Prediction: 2026-06-15 (patch)
What Undercode Say:
Verify vulnerable verification logic in isolation
cat <<'EOF' > poc_ovn_tls_roots.go
package main
import (
"crypto/ed25519"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"fmt"
"math/big"
"time"
)
func main() {
pub, priv, _ := ed25519.GenerateKey(rand.Reader)
template := x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{Organization: []string{"Attacker Corp MITM"}},
NotBefore: time.Now(),
NotAfter: time.Now().Add(time.Hour),
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
IsCA: true,
}
rogueCertBytes, _ := x509.CreateCertificate(rand.Reader, &template, &template, pub, priv)
verifyPeerCertificate := func(rawCerts [][]byte) error {
roots := x509.NewCertPool()
for _, rawCert := range rawCerts {
if cert, _ := x509.ParseCertificate(rawCert); cert != nil {
roots.AddCert(cert)
}
}
cert, _ := x509.ParseCertificate(rawCerts[bash])
if cert == nil {
return fmt.Errorf("bad server certificate")
}
_, err := cert.Verify(x509.VerifyOptions{Roots: roots})
return err
}
if verifyPeerCertificate([][]byte{rogueCertBytes}) == nil {
fmt.Println("VULNERABLE: rogue certificate accepted")
}
}
EOF
go run poc_ovn_tls_roots.go
Check Incus OVN config for affected TLS settings
grep -r "InsecureSkipVerify: true" /path/to/incus/source/internal/server/network/ovn/
Exploit:
Attacker on same management network as OVN database (e.g., compromised switch or ARP spoofing) sets up a rogue OVN database with a self-signed certificate. When Incus connects via SSL to the expected OVN endpoint, attacker performs TLS interception, presenting the self-signed cert. Incus’s custom verifier accepts it because peer-supplied root is added to trust pool. Attacker then returns empty or malicious OVN northbound/southbound data. Incus reads it, fails to find expected logical network state, but the authentication boundary is already bypassed.
Protection from this CVE
- Upgrade to patched Incus version once available (removes custom `VerifyPeerCertificate` and uses standard
RootCAs). - If patching impossible, avoid exposing OVN SSL ports on routable networks; ensure OVN control plane runs only on same trusted servers as Incus with no untrusted routing.
- Use network ACLs to restrict access to OVN database ports (typically 6641, 6642) to only authorized Incus servers.
- Monitor for unexpected certificate chains or connection resets on OVN database interfaces.
Impact
- Authentication bypass: Attacker can impersonate OVN northbound/southbound database to an Incus client.
- Control-plane manipulation: Rogue database can inject fake logical network state or cause Incus to operate on empty configuration, leading to network misrouting or denial of service.
- Privilege escalation potential: In clustered deployments, compromising OVN control plane can affect all hypervisors and gateways managed by Incus.
- Limited scope: OVN mTLS still requires client certificate; attacker cannot fully proxy to real OVN, only replace database with unauthenticated empty one. Attack also requires management network position, reducing exploitability in typical hardened setups.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
