Proxmox Mail Gateway - Security Advisories

Status
Not open for further replies.

Subject: PSA-2024-00005-1: SMTP Smuggling​


Publication date: 2024-03-28

Packages: pmg-api, postfix

Details: Postfix was affected by an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than <CR><LF>. See references below for timeline, mitigations and details.

Fixed:
- pmg-api >= 8.0.10 (Proxmox Mail Gateway 8.x)
- pmg-api >= 7.3-11 (Proxmox Mail Gateway 7.x)

References:
- CVE-2023-51764
- https://www.postfix.org/smtp-smuggling.html
- https://forum.proxmox.com/threads/smtp-smuggling-mitigation.138576/
 

Subject: PSA-2024-00007-1: Shim bootloader remote code execution via http response​


Advisory date: 2024-06-28

Packages: shim-unsigned, shim-signed

Details: A remote code execution vulnerability was found in the secure boot Shim bootloader. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully.

Fixed: shim-unsigned >= 15.8, shim-signed >= 1.40+pmx1+15.8 (Proxmox VE 8.x, Proxmox Backup Server 3.x, Proxmox Mail Gateway 8.x)

Bullseye-based Proxmox products do not ship a custom version of shim, refer to Debian's security tracker if manual secure boot is in use.

References: CVE-2023-40547, shim 15.8 additionally fixes CVE-2023-40546 and CVE-2023-40548 to CVE-2023-40551
 

Subject: PSA-2024-00009-1: Proxmox VE/Mail Gateway API: post-authentication privileged file read vulnerabilities​


Advisory date: 2024-09-23

Packages:
- Proxmox Virtual Environment: pve-manager, libpve-storage-perl, libpve-http-server-perl, qemu-server
- Proxmox Mail Gateway: pmg-api, libpve-http-server-perl

Details:
Insufficient safeguards against malicious API response values allowed authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges to download arbitrary host files via the API.

Two instances of this issue were discovered and reported by the Security Labs team at Snyk.
The issue was introduced in libpve-http-server-perl in version 3.2-1 (Proxmox VE/Proxmox Mail Gateway 6) with commit 6d832db ("allow 'download' to be passed from API handler").

Timeline:
2024-09-04: initial report by Snyk​
2024-09-04: initial analysis and acknowledgment by Proxmox Security Team​
2024-09-06: first iteration of patches submitted for internal review and testing​
2024-09-12: second iteration of patches submitted for internal review and testing​
2024-09-13: patches and tentative roll-out timeline submitted for feedback to Snyk​
2024-09-13: status quo of affected packages was bumped and rolled out to reduce regression potential​
2024-09-19: third iteration of patches with minor usability and backward compatibility improvements submitted for internal review and testing​
2024-09-20: Due to impact, an exception was granted to provide fixes for the EOL Proxmox VE 7 and Proxmox Mail Gateway 7 releases and a backport of the patches got submitted for internal review and testing​
2024-09-23: coordinated release of fixed packages to the Proxmox VE and Proxmox Mail Gateway repositories of the 7 and 8 release series.​

Fixed:
- Proxmox VE 8:
pve-manager >= 8.2.7, libpve-storage-perl >= 8.2.5, libpve-http-server-perl >= 5.1.1,​
(libpve-common-perl >= 8.2.3, only cosmetic changes to reduce misuse potential)​

- Proxmox Mail Gateway 8:
pmg-api >= 8.1.4, libpve-http-server-perl >= 5.1.1, (libpve-common-perl >= 8.2.5)​

- Proxmox Virtual Environment 7:
pve-manager >= 7.4-19, libpve-storage-perl >= 7.4-4, libpve-http-server-perl >= 4.3.0​

- Proxmox Mail Gateway 7:
pmg-api >= 7.3-12, libpve-http-server-perl >= 4.3.0​

References:
- CVE-2024-21545 (reserved)
 
Status
Not open for further replies.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back