Critical security bug in NoVNC console

[Mecanik]

Today, I was editing a product in WHMCS, and by "mistake" I saved the order with the "Server:" selected as another node, that it should really be.

What happened after was horrible, because the user opened his console, and the was connected to another VM on another NODE, seeing the whole desktop. I cannot understand how Promox can allow this, and how can this work actually, this is a security issue.

If the "user" does not belong on the node, it should not be able to connect to any VM in the first place, not to mention to see his whole desktop, and wonder freely around.

The worst problem? You cannot even "kick" him, or do anything else.

How to test this ? Simple, follow these steps:

- Have a WHMCS installation
- Have 2 nodes added in WHMCS
- Create 2 VM's separately on the nodes,
- Login to your account were you have 1 VM
-Change the "node" name and done

Please help.....

 

[dietmar]

Seems you talk about a WHMCS bug. Or can you reproduce this using the PVE GUI?

 

[Mecanik]

It's not a WHMCS bug, it's the noVNC console... and yes I could reproduce it, plus I can see some VM's desktops freely, which should not be possible...

 

[dietmar]

It's not a WHMCS bug, it's the noVNC console... and yes I could reproduce it,

How exactly? This looks more like a mis-configuration on your side.

 

[Mecanik]

Same way, logon on 1 node, and change the node name in the noVNC URL.

 

[dietmar]

Same way, logon on 1 node, and change the node name in the noVNC URL.

Well, there is a detailed access control for users (https://pve.proxmox.com/wiki/User_Management). You configured your system so that your user can only access one VM?

 

[dietmar]

I think this is a misunderstanding on your side. Inside a single cluster, a user can access all his VMs, independent of the node. This is a feature, and required if you want to migrate VMs around.

 

[Mecanik]

What ? Seriously ? Any user of a node can access any VM via the console ? What the...

 

[dietmar]

What ? Seriously ? Any user of a node can access any VM via the console ?

That is not what I wrote. You should carefully re-read my postings.

 

[Mecanik]

That is not what I wrote. You should carefully re-read my postings.

Sorry if I misunderstood, I'm just really stressed. Even if this is a "feature", how do you explain the user that can console inside another VM on another NODE ?

 

[dietmar]

I do not have any information about your setup, and I do not really understand what you do. But you need at least two users if you want to have separate access control on 2 VMs. So far you alway talk about a single user.

 

[Mecanik]

Yes this is exactly the problem, I have multiple nodes, and users on each node, so for example the error that happened:

User XXX had VMID 113 on node ABC, and he opened a console on node DFG for VMID 100 and it worked....

 

[dietmar]

Is this a cluster, or single independent nodes?

 

[Mecanik]

Single independent nodes...

 

[Ashley]

This will be how the WHMCS module works and not Proxmox at fault at all, depending on the module you use they work in different ways.

But the most that I have seen & used upon first contact from a client it will use the root login to create a user with the PVEVMUser perms for that VM, any future connections will then use that account to collect the ticket for VNC.

If your testing the VNC connections on your side it will just use the Proxmox ticket you will already have while logging in directly to Proxmox, if you select the wrong node in WHMCS when the user goes to use VNC the module again will create a new user and attach it to that VM, again this is not an issue with how Proxmox work's but with how the modules work.

Only way you can test is from a fresh browser session with no tickets and logging directly into the WHMCS Client area not via the Admin Area.

 

[Mecanik]

I understand, but this happened via the WHMCS Client area, I was not even aware of this, the customer reported me that is the "wrong vps" ...

 

[Ashley]

Yes, as you selected the wrong server, when the client connects via their client area the module will create them an account in Proxmox on the selected node for the VM ID specified, which would have then gave them access.

This is not Proxmox fault but it how the module works, hope that makes sense.

 

[Mecanik]

Yes I understand Ashley, I'm glad you understood as well what happened. But this is not correct, there should be some extra security to this...
I contacted the WHMCS Proxmox module developer to see if there is something we can do, because this represents a risk for me.

Anyway, thank you for the attention, and for your time!

 

[Ashley]

One thing you can do outside of the module is either use a cluster or don't duplicate ID's across the servers.