Proxmox Virtual Environment - Security Advisories

[ProxmoxSecurityAdvisory]

This is the list of security advisories since 2024-01-01 for the Proxmox Virtual Environment.

For details about scope, coverage and timeline see the General FAQ about Proxmox Security Announcements.

 

[ProxmoxSecurityAdvisory]

Subject: PSA-2024-00001-1: PixieFAIL EDK2 PXE vulnerabilities​

Advisory date: 2024-01-24

Package(s):

• Proxmox VE 7.x:
  • pve-edk2-firmware
• Proxmox VE 8.x:
  • pve-edk2-firmware-ovmf
  • pve-edk2-firmware-legacy

Details:

Nine vulnerabilities in EDK II's reference EFI implementation that can be exploited by unauthenticated remote attackers on the same local network, and in some cases, by attackers on remote networks were identified by researchers at QuarksLab. The impact of these vulnerabilities includes denial of service, information leakage, remote code execution, DNS cache poisoning, and network session hijacking, mainly via IPv6.

EDK II is used in Proxmox VE to provide the UEFI firmware to VM guests. PXE booting is enabled by default as lowest priority boot mechanism.

Fixed:
- pve-edk2-firmware-ovmf 4.2023.08-3 (Proxmox VE 8.x)
- pve-edk2-firmware 4.20230228-4~bpo11+2 (Proxmox VE 7.x)

Not Fixed:
- pve-edk2-firmware-legacy
(Proxmox VE 8.x, static copy of legacy 2 MB firmware files that cannot be build anymore, only used for backwards compatibility)

References:
- https://blog.quarkslab.com/pixiefai...-in-tianocores-edk-ii-ipv6-network-stack.html
- CVE-2023-45229: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message
- CVE-2023-45230: Buffer overflow in the DHCPv6 client via a long Server ID option
- CVE-2023-45231: Out of Bounds read when handling a ND Redirect message with truncated options
- CVE-2023-45232: Infinite loop when parsing unknown options in the Destination Options header
- CVE-2023-45233: Infinite loop when parsing a PadN option in the Destination Options header
- CVE-2023-45234: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message
- CVE-2023-45235: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message
- CVE-2023-45236: Predictable TCP Initial Sequence Numbers
- CVE-2023-45237: Use of a Weak PseudoRandom Number Generator

 

[ProxmoxSecurityAdvisory]

Subject: PSA-2024-00003-1: QEMU denial of service via VNC client clipboard access​

Advisory date: 2024-03-28

Package(s): pve-qemu-kvm

Details: A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service.

Fixed: pve-qemu-kvm >= 8.1.5-1 (Proxmox Virtual Environment 8.x)

References: CVE-2023-6683

 

[ProxmoxSecurityAdvisory]

Subject: PSA-2024-00004-1: LDAP: missing schema validation for synced attributes​

Advisory date: 2024-03-28

Package(s): libpve-access-control

Details: On Proxmox Virtual Environment systems with user/group sync from LDAP or ActiveDirectory, the attribute values were not properly validated against the user.cfg schema, possibly allowing injection of arbitrary contents into user.cfg by an attacker controlling the directory server.

Please note that attackers controlling the directory server can already log in as any synced user, so it's never safe to integrate an untrusted LDAP or AD server as realm into a Proxmox project.

Fixed:
- libpve-access-control >= 8.1.1 (Proxmox Virtual Environment 8.x)
- libpve-access-control >= 7.4.3 (Proxmox Virtual Environment 7.x)

 

[ProxmoxSecurityAdvisory]

Subject: PSA-2024-00006-1: perl PVE API client certificate validation failure if fingerprint is not passed​

Advisory date: 2024-03-28

Package(s): libpve-api-client-perl

Details: Usage of the perl PVE API client module without a pinned TLS certificate fingerprint (see below for exact parameters) was broken.

The usage of this API client module inside Proxmox VE is limited to:

• Cluster node join: here a fingerprint is required by the API schema, so joining via API (including the web UI) is not affected at all. For joining via the CLI the fingerprint is presented for confirmation and must be manually verified by the admin.
• External remote node migration of virtual guests: this is currently a tech-preview and not exposed in the Proxmox VE user interface, usage with fingerprint was always safe.
• Status and backup list of the PBS integration - a Denial of Service for PBS status, or bogus content listing might be returned by an attacker.
  Most actions, including sending or reading backup data, are not handled by the Perl client, but by the rust-based PBS client and libraries, so neither backup nor restore were affected at all.

Other usage of the client (e.g. in third party scripts or integrations) might be affected if $ssl_opts->{verify_hostname} is enabled, which is the default setting if no fingerprint is provided by the caller.

For any of the above scenarios to be exploitable, an attacker needs to be in a position to man-in-the-middle the client connection to the API server, like controlling the DNS server.

Note: This issue was found during internal audit, we do not know of any attack in the wild.

Fixed:
- libpve-api-client-perl >= 3.3.2 (Proxmox Virtual Environment 8.x, Proxmox Mail Gateway 8.x)
- libpve-api-client-perl >= 3.2-2 (Proxmox Virtual Environment 7.x, Proxmox Mail Gateway 7.x)

 

[ProxmoxSecurityAdvisory]

Subject: PSA-2024-00007-1: Shim bootloader remote code execution via http response​

Advisory date: 2024-06-28

Packages: shim-unsigned, shim-signed

Details: A remote code execution vulnerability was found in the secure boot Shim bootloader. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully.

Fixed: shim-unsigned >= 15.8, shim-signed >= 1.40+pmx1+15.8 (Proxmox VE 8.x, Proxmox Backup Server 3.x, Proxmox Mail Gateway 8.x)

Bullseye-based Proxmox products do not ship a custom version of shim, refer to Debian's security tracker if manual secure boot is in use.

References: CVE-2023-40547, shim 15.8 additionally fixes CVE-2023-40546 and CVE-2023-40548 to CVE-2023-40551

 

[ProxmoxSecurityAdvisory]

Subject: PSA-2024-00008-1: kernel: DoS via short ethernet frames over tun/tap interfaces​

Advisory date: 2024-07-29

Packages: Proxmox 5.15 kernel packages (Proxmox VE 7), Proxmox 6.5 and 6.8 kernel packages (Proxmox VE 8)

Details: The tun and tap network drivers in the Linux kernel lacked verification for short frames in XDP (eXpress Data Path).

This could be abused by a malicious guest with a VirtIO-net device to cause out-of-bound access in the host kernel and with certain hardware, even cause a kernel panic.

Fixed:
- proxmox-kernel-6.8.8-4-pve or later (for the 6.8 kernel series in Proxmox VE 8)
- proxmox-kernel-6.5.13-6-pve or later (for the 6.5 kernel series in Proxmox VE 8)
- pve-kernel-5.15.158-2-pve or any later 5.15 based package (for Proxmox VE 7)

References:
- https://www.openwall.com/lists/oss-security/2024/07/24/4
- CVE-2024-41090: missing verification for short frame in tap device
- CVE-2024-41091: missing verification for short frame in tun device

 

[ProxmoxSecurityAdvisory]

Subject: PSA-2024-00009-1: Proxmox VE/Mail Gateway API: post-authentication privileged file read vulnerabilities​

Advisory date: 2024-09-23

Packages:
- Proxmox Virtual Environment: pve-manager, libpve-storage-perl, libpve-http-server-perl, qemu-server
- Proxmox Mail Gateway: pmg-api, libpve-http-server-perl

Details:
Insufficient safeguards against malicious API response values allowed authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges to download arbitrary host files via the API.

Two instances of this issue were discovered and reported by the Security Labs team at Snyk.
The issue was introduced in libpve-http-server-perl in version 3.2-1 (Proxmox VE/Proxmox Mail Gateway 6) with commit 6d832db ("allow 'download' to be passed from API handler").

Timeline:

2024-09-04: initial report by Snyk​

2024-09-04: initial analysis and acknowledgment by Proxmox Security Team​

2024-09-06: first iteration of patches submitted for internal review and testing​

2024-09-12: second iteration of patches submitted for internal review and testing​

2024-09-13: patches and tentative roll-out timeline submitted for feedback to Snyk​

2024-09-13: status quo of affected packages was bumped and rolled out to reduce regression potential​

2024-09-19: third iteration of patches with minor usability and backward compatibility improvements submitted for internal review and testing​

2024-09-20: Due to impact, an exception was granted to provide fixes for the EOL Proxmox VE 7 and Proxmox Mail Gateway 7 releases and a backport of the patches got submitted for internal review and testing​

2024-09-23: coordinated release of fixed packages to the Proxmox VE and Proxmox Mail Gateway repositories of the 7 and 8 release series.​

Fixed:
- Proxmox VE 8:

pve-manager >= 8.2.7, libpve-storage-perl >= 8.2.5, libpve-http-server-perl >= 5.1.1,​

(libpve-common-perl >= 8.2.3, only cosmetic changes to reduce misuse potential)​

- Proxmox Mail Gateway 8:

pmg-api >= 8.1.4, libpve-http-server-perl >= 5.1.1, (libpve-common-perl >= 8.2.5)​

- Proxmox Virtual Environment 7:

pve-manager >= 7.4-19, libpve-storage-perl >= 7.4-4, libpve-http-server-perl >= 4.3.0​

- Proxmox Mail Gateway 7:

pmg-api >= 7.3-12, libpve-http-server-perl >= 4.3.0​

References:
- CVE-2024-21545 (reserved)