Proxmox Backup Server - Security Advisories

Status
Not open for further replies.

Subject: PSA-2024-00002-1: Tape backup drive encryption failure​


Publication Date: 2024-02-26

Packages: proxmox-backup-server

Details:

With LTO tape backups for Proxmox Backup Server prior to the versions listed below, the separate hardware encryption key was unloaded from the tape drive too early, before the transfer of backup data to the tape device was started. This means that data meant to be encrypted on tape actually was not.

If a backup snapshot was already encrypted in the backup server datastore before backing up to tape, the backup data still is encrypted on the tape, but metadata such as the list of snapshots, which chunk belongs to which snapshot etc. is not.

Affected tapes can be restored normally, but there is currently no way to re-encrypt the data on the tape directly. The data has to be restored into a datastore and backed up again with the fixed versions of proxmox-backup-server.

Tape backups on a media pool with a configured encryption key are properly encrypted once a new media set is started with the fixed versions below.

Fixed:
- proxmox-backup-server 3.1.4-1 (Proxmox Backup Server 3.x)
- proxmox-backup-server 2.4.5-1 (Proxmox Backup Server 2.x)
 

Subject: PSA-2024-00007-1: Shim bootloader remote code execution via http response​


Advisory date: 2024-06-28

Packages: shim-unsigned, shim-signed

Details: A remote code execution vulnerability was found in the secure boot Shim bootloader. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully.

Fixed: shim-unsigned >= 15.8, shim-signed >= 1.40+pmx1+15.8 (Proxmox VE 8.x, Proxmox Backup Server 3.x, Proxmox Mail Gateway 8.x)

Bullseye-based Proxmox products do not ship a custom version of shim, refer to Debian's security tracker if manual secure boot is in use.

References: CVE-2023-40547, shim 15.8 additionally fixes CVE-2023-40546 and CVE-2023-40548 to CVE-2023-40551
 

Subject: PSA-2024-00011-1: Proxmox Backup Server: unauthenticated DOS vulnerability​


Advisory date: 2024-12-03

Packages: proxmox-backup-server (== 3.2.8-1, pbstest and pbs-no-subscription only)

Details:
Proxmox Backup Server in version 3.2.8-1 was vulnerable to a remote unauthenticated DOS attack.
By opening a connection to the API server on port 8007 and closing the connection within the first ten seconds while sending less than 5 bytes, the thread handling this connection would consume 100% CPU time until a restart of the proxmox-backup-proxy service.

Fixed:
- proxmox-backup-server: 3.2.9-1

References:
https://bugzilla.proxmox.com/show_bug.cgi?id=5868
 

Subject: PSA-2025-00005-1: Various SecureBoot bypasses, data integrity violations and sensitive data leaks in Grub​


Advisory date: 2025-03-06

Packages: grub-pc-bin, grub-efi-amd64-bin, grub-efi-amd64-signed, grub-efi-amd64-unsigned

Details:

21 issues in Grub's codebase were found that could allow an attacker to bypass Secure Boot protections (if enabled), leak sensitive data from Grub's environment or configuration or violate other integrity protections within Grub.

Fixed:
- grub-pc-bin (>= 2.06-13+pmx5)
- grub-efi-amd64-bin (>= 2.06-13+pmx5)
- grub-efi-amd64-unsigned (>= 2.06-13+pmx5)
- grub-efi-amd64-signed (>= 1+2.06+13+pmx5)
- proxmox-secure-boot-policies (>= 0.0~git20240117.c443a5f-5)
- proxmox-secure-boot-policies-amd64-signed (>= 0.0~git20240117.c443a5f-5)

To fully prevent downgrade attacks after upgrading to fixed versions of the packages, see the instructions in our wiki:

https://pve.proxmox.com/wiki/Secure_Boot_Setup#Setting_a_Stricter_Revocation_Policy

References:
CVE-2024-45774: reader/jpeg: Heap OOB Write during JPEG parsing.
CVE-2024-45775: commands/extcmd: Missing check for failed allocation.
CVE-2024-45776: grub-core/gettext: Integer overflow leads to Heap OO Write and Read.
CVE-2024-45777: grub-core/gettext: Integer overflow leads to Heap OOB Write.
CVE-2024-45778: fs/bfs: Integer overflow in the BFS parser.
CVE-2024-45779: fs/bfs: Integer overflow leads to Heap OOB Read (Write?) in the BFS parser.
CVE-2024-45780: fs/tar: Integer Overflow causes Heap OOB Write.
CVE-2024-45781: fs/ufs: OOB write in the heap.
CVE-2024-45782: fs/hfs: strcpy() using the volume name (fs/hfs.c:382)
CVE-2024-45783: fs/hfs+: refcount can be decremented twice
CVE-2025-0622: command/gpg: Use-after-free due to hooks not being removed on module unload
CVE-2025-0624: net: Out-of-bounds write in grub_net_search_config_file()
CVE-2025-0677: UFS: Integer overflow may lead to heap based out-of-bounds write when handling symlinks
CVE-2025-0678: squash4: Integer overflow may lead to heap based out-of-bounds write when reading data
CVE-2025-0684: reiserfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
CVE-2025-0685: jfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
CVE-2025-0686: romfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
CVE-2025-0689: udf: Heap based buffer overflow in grub_udf_read_block() may lead to arbitrary code execution
CVE-2025-0690: read: Integer overflow may lead to out-of-bounds write
CVE-2025-1118: commands/dump: The dump command is not in lockdown when secure boot is enabled
CVE-2025-1125: fs/hfs: Integer overflow may lead to heap based out-of-bounds write
 

Subject: PSA-2025-00012-1: Incomplete exclusion of the NTFS module in Grub2 with Secure Boot​


Advisory date: 2025-07-10

Packages: grub-efi-amd64-signed 1+2.06+13+pmx6

Details: The NTFS fixes for the issues described in PSA-2025-00005-1 were reverted due to a regression. This was done under the assumption that the NTFS Grub module could not be loaded with Secure Boot enabled. However, this was not the case when the module was part of the monolithic GRUB EFI binary used in default setups that enable Secure Boot. To fix this, exclude the NTFS module from being part of the monolithic GRUB EFI binary.

Fixed: grub-efi-amd64-signed 1+2.06+13+pmx7

References: PSA-2025-00005-1
 

Subject: PSA-2025-00014-1: stored XSS in config values​


Advisory date: 2025-08-14

Packages: proxmox-backup-server

Details: The WebAuthN setting dialogue in the web interface was susceptible to XSS. Editing these settings requires root privileges.

A related issue in the Proxmox VE code base was discovered and reported by Javidan Khankishiyev <Khankishiyev.j@gmail.com>.

Fixed:
- proxmox-backup-server >= 4.0.14-1 (PBS 4.x)
- proxmox-backup-server >= 3.4.6-1 (PBS 3.x)
 

Subject: PSA-2025-00016-1: Spectre branch target injection from VM guests ("VMScape")​


Advisory date: 2025-09-17

Packages: proxmox-kernel-6.8, proxmox-kernel-6.14

Details: Incomplete branch predictor isolation mechanisms allow exploitation of branch prediction across hypervisor/guest context switches, potentially leaking secrets from the host userspace or other guests by an attacker with control over a VM.

Fixed:

For Debian Trixie based releases, like Proxmox VE 9, Proxmox Backup Server 4 or Proxmox Datacenter Manager Beta:
- Package proxmox-kernel-6.14.11-2-pve-signed in version 6.14.11-2

For Debian Bookworm based releases, like Proxmox VE 8, Proxmox Backup Server 3 or Proxmox Mail Gateway 8:
- Package proxmox-kernel-6.14.8-3-bpo12-pve-signed in version 6.14.8-3~bpo12+1
- Package proxmox-kernel-6.8.12-15-pve-signed in version 6.8.12-15

References:
- CVE-2025-40300
- https://comsec.ethz.ch/research/mic...ch-predictor-isolation-in-cloud-environments/
 

Subject: PSA-2025-00019-1: Race condition during long-running garbage collection and pruning of recent snapshots may lead to back up corruption before Proxmox Backup Server 3.4​


Advisory date: 2025-10-27

Packages: proxmox-backup-server

Details: On certain setups running Proxmox Backup Server 3.3 and below, a race condition could cause garbage collection (GC) to delete chunks even though they are referenced by backup snapshots. Affected backup snapshots fail verification and cannot be restored.

The issue can trigger when the following sequence of events occurs:

1. A GC job starts.
2. GC phase 1 starts, generating a list of snapshot index files for which to mark in-use chunks.
3. Before GC phase 1 reaches a specific (backup) group G, a new incremental (backup) snapshot S_1 based on a previous snapshot S_0 is created in group G. Snapshot S_1 references unchanged chunks already known and referenced by S_0.
4. Before GC phase 1 reaches snapshot S_0 in group G, snapshot S_0 is pruned.

In this case, GC phase 1 will not mark chunks which were referenced only by snapshots S_0 and S_1, since snapshot S_0 does not exist anymore, and S_1 is not included in the list of to-be-marked snapshots generated in step 2.

As a result, any such chunks:

- that have already existed before the start of the GC (or the cutoff threshold, if it is earlier).
- and that have not been marked due to references by other snapshots/groups.

will be treated as garbage and removed by GC phase 2.

Note: While there are more complicated variants (e.g., pruning more snapshots, doing multiple backups, ...), the above describes the basic issue.

The chance of triggering the race condition is low on most setups with recommended specs, in particular if datastores are backed by fast SSDs. The likelihood increases with several factors, e.g.:

- Large and/or slow datastores, for example on a network share or local HDD-backed storage, increase the runtime of GC jobs and thus the chance that snapshots are created and pruned while a GC job is running.
- Frequent pruning, for example via a frequently-running prune job or by applying retention on the Proxmox VE side, increases the chance that snapshots are pruned while a GC job is running.
- Aggressive pruning with retention settings that favor deleting relatively recent snapshots (e.g. keep-last or keep-daily with low values) increase the chance of pruning a snapshot that is used as a base for an incremental backup while a GC job is running.

Fixed: The likelihood of the issue triggering was greatly reduced with proxmox-backup-server 3.4.0-1, and the issue was fully fixed in 3.4.1-1. Proxmox Backup Server 4 was never affected by this issue.
 

Subject: PSA-2025-00020-1: Missing protections against malicious backup clients with S3-backed datastores​


Advisory date: 2025-10-27

Packages: proxmox-backup-server

Details: On datastores configured with an S3 backend, a malicious client could upload chunks with invalid metadata, including a digest that does not match the uploaded content.

This could be exploited to leak contents of unencrypted chunks in other backups, or ensure re-use of corrupt chunks created by such an attack until the next verification task has run.

Note: Both exploits require either guessing the required chunk digest by brute force, or obtaining it via other means.

This issue was discovered and fixed internally.

Fixed: proxmox-backup-server >= 4.0.18-1
 
Status
Not open for further replies.
Top Bottom