Subject: PSA-2024-00009-1: Proxmox VE/Mail Gateway API: post-authentication privileged file read vulnerabilities
Advisory date: 2024-09-23
Packages:
- Proxmox Virtual Environment: pve-manager, libpve-storage-perl, libpve-http-server-perl, qemu-server
- Proxmox Mail Gateway: pmg-api, libpve-http-server-perl
Details:
Insufficient safeguards against malicious API response values allowed authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges to download arbitrary host files via the API.
Two instances of this issue were discovered and reported by the Security Labs team at Snyk.
The issue was introduced in libpve-http-server-perl in version 3.2-1 (Proxmox VE/Proxmox Mail Gateway 6) with commit 6d832db ("allow 'download' to be passed from API handler").
Timeline:
2024-09-04: initial report by Snyk
2024-09-04: initial analysis and acknowledgment by Proxmox Security Team
2024-09-06: first iteration of patches submitted for internal review and testing
2024-09-12: second iteration of patches submitted for internal review and testing
2024-09-13: patches and tentative roll-out timeline submitted for feedback to Snyk
2024-09-13: status quo of affected packages was bumped and rolled out to reduce regression potential
2024-09-19: third iteration of patches with minor usability and backward compatibility improvements submitted for internal review and testing
2024-09-20: Due to impact, an exception was granted to provide fixes for the EOL Proxmox VE 7 and Proxmox Mail Gateway 7 releases and a backport of the patches got submitted for internal review and testing
2024-09-23: coordinated release of fixed packages to the Proxmox VE and Proxmox Mail Gateway repositories of the 7 and 8 release series.
2024-11-18: Add a reference to Snyk's just-released report
Fixed:
- Proxmox VE 8:
pve-manager >= 8.2.7, libpve-storage-perl >= 8.2.5, libpve-http-server-perl >= 5.1.1,
(libpve-common-perl >= 8.2.3, only cosmetic changes to reduce misuse potential)
- Proxmox Mail Gateway 8:
pmg-api >= 8.1.4, libpve-http-server-perl >= 5.1.1, (libpve-common-perl >= 8.2.5)
- Proxmox Virtual Environment 7:
pve-manager >= 7.4-19, libpve-storage-perl >= 7.4-4, libpve-http-server-perl >= 4.3.0
- Proxmox Mail Gateway 7:
pmg-api >= 7.3-12, libpve-http-server-perl >= 4.3.0
References:
- CVE-2024-21545 (reserved)
-
https://snyk.io/articles/proxmox-ve-cve-2024-21545-tricking-the-api/