Proxmox Virtual Environment - Security Advisories

Status
Not open for further replies.

Subject: PSA-2024-00001-1: PixieFAIL EDK2 PXE vulnerabilities​


Advisory date: 2024-01-24

Package(s):
  • Proxmox VE 7.x:
    • pve-edk2-firmware
  • Proxmox VE 8.x:
    • pve-edk2-firmware-ovmf
    • pve-edk2-firmware-legacy
Details:

Nine vulnerabilities in EDK II's reference EFI implementation that can be exploited by unauthenticated remote attackers on the same local network, and in some cases, by attackers on remote networks were identified by researchers at QuarksLab. The impact of these vulnerabilities includes denial of service, information leakage, remote code execution, DNS cache poisoning, and network session hijacking, mainly via IPv6.

EDK II is used in Proxmox VE to provide the UEFI firmware to VM guests. PXE booting is enabled by default as lowest priority boot mechanism.

Fixed:
- pve-edk2-firmware-ovmf 4.2023.08-3 (Proxmox VE 8.x)
- pve-edk2-firmware 4.20230228-4~bpo11+2 (Proxmox VE 7.x)

Not Fixed:
- pve-edk2-firmware-legacy
(Proxmox VE 8.x, static copy of legacy 2 MB firmware files that cannot be build anymore, only used for backwards compatibility)

References:
- https://blog.quarkslab.com/pixiefai...-in-tianocores-edk-ii-ipv6-network-stack.html
- CVE-2023-45229: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message
- CVE-2023-45230: Buffer overflow in the DHCPv6 client via a long Server ID option
- CVE-2023-45231: Out of Bounds read when handling a ND Redirect message with truncated options
- CVE-2023-45232: Infinite loop when parsing unknown options in the Destination Options header
- CVE-2023-45233: Infinite loop when parsing a PadN option in the Destination Options header
- CVE-2023-45234: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message
- CVE-2023-45235: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message
- CVE-2023-45236: Predictable TCP Initial Sequence Numbers
- CVE-2023-45237: Use of a Weak PseudoRandom Number Generator
 

Subject: PSA-2024-00003-1: QEMU denial of service via VNC client clipboard access​


Advisory date: 2024-03-28

Package(s): pve-qemu-kvm

Details: A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service.

Fixed: pve-qemu-kvm >= 8.1.5-1 (Proxmox Virtual Environment 8.x)

References: CVE-2023-6683
 

Subject: PSA-2024-00004-1: LDAP: missing schema validation for synced attributes​


Advisory date: 2024-03-28

Package(s): libpve-access-control

Details: On Proxmox Virtual Environment systems with user/group sync from LDAP or ActiveDirectory, the attribute values were not properly validated against the user.cfg schema, possibly allowing injection of arbitrary contents into user.cfg by an attacker controlling the directory server.

Please note that attackers controlling the directory server can already log in as any synced user, so it's never safe to integrate an untrusted LDAP or AD server as realm into a Proxmox project.

Fixed:
- libpve-access-control >= 8.1.1 (Proxmox Virtual Environment 8.x)
- libpve-access-control >= 7.4.3 (Proxmox Virtual Environment 7.x)
 

Subject: PSA-2024-00006-1: perl PVE API client certificate validation failure if fingerprint is not passed​


Advisory date: 2024-03-28

Package(s): libpve-api-client-perl

Details: Usage of the perl PVE API client module without a pinned TLS certificate fingerprint (see below for exact parameters) was broken.

The usage of this API client module inside Proxmox VE is limited to:
  • Cluster node join: here a fingerprint is required by the API schema, so joining via API (including the web UI) is not affected at all. For joining via the CLI the fingerprint is presented for confirmation and must be manually verified by the admin.
  • External remote node migration of virtual guests: this is currently a tech-preview and not exposed in the Proxmox VE user interface, usage with fingerprint was always safe.
  • Status and backup list of the PBS integration - a Denial of Service for PBS status, or bogus content listing might be returned by an attacker.
    Most actions, including sending or reading backup data, are not handled by the Perl client, but by the rust-based PBS client and libraries, so neither backup nor restore were affected at all.
Other usage of the client (e.g. in third party scripts or integrations) might be affected if $ssl_opts->{verify_hostname} is enabled, which is the default setting if no fingerprint is provided by the caller.

For any of the above scenarios to be exploitable, an attacker needs to be in a position to man-in-the-middle the client connection to the API server, like controlling the DNS server.

Note: This issue was found during internal audit, we do not know of any attack in the wild.

Fixed:
- libpve-api-client-perl >= 3.3.2 (Proxmox Virtual Environment 8.x, Proxmox Mail Gateway 8.x)
- libpve-api-client-perl >= 3.2-2 (Proxmox Virtual Environment 7.x, Proxmox Mail Gateway 7.x)
 

Subject: PSA-2024-00007-1: Shim bootloader remote code execution via http response​


Advisory date: 2024-06-28

Packages: shim-unsigned, shim-signed

Details: A remote code execution vulnerability was found in the secure boot Shim bootloader. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully.

Fixed: shim-unsigned >= 15.8, shim-signed >= 1.40+pmx1+15.8 (Proxmox VE 8.x, Proxmox Backup Server 3.x, Proxmox Mail Gateway 8.x)

Bullseye-based Proxmox products do not ship a custom version of shim, refer to Debian's security tracker if manual secure boot is in use.

References: CVE-2023-40547, shim 15.8 additionally fixes CVE-2023-40546 and CVE-2023-40548 to CVE-2023-40551
 

Subject: PSA-2024-00008-1: kernel: DoS via short ethernet frames over tun/tap interfaces​


Advisory date: 2024-07-29

Packages: Proxmox 5.15 kernel packages (Proxmox VE 7), Proxmox 6.5 and 6.8 kernel packages (Proxmox VE 8)

Details: The tun and tap network drivers in the Linux kernel lacked verification for short frames in XDP (eXpress Data Path).

This could be abused by a malicious guest with a VirtIO-net device to cause out-of-bound access in the host kernel and with certain hardware, even cause a kernel panic.

Fixed:
- proxmox-kernel-6.8.8-4-pve or later (for the 6.8 kernel series in Proxmox VE 8)
- proxmox-kernel-6.5.13-6-pve or later (for the 6.5 kernel series in Proxmox VE 8)
- pve-kernel-5.15.158-2-pve or any later 5.15 based package (for Proxmox VE 7)

References:
- https://www.openwall.com/lists/oss-security/2024/07/24/4
- CVE-2024-41090: missing verification for short frame in tap device
- CVE-2024-41091: missing verification for short frame in tun device
 

Subject: PSA-2024-00009-1: Proxmox VE/Mail Gateway API: post-authentication privileged file read vulnerabilities​


Advisory date: 2024-09-23

Packages:
- Proxmox Virtual Environment: pve-manager, libpve-storage-perl, libpve-http-server-perl, qemu-server
- Proxmox Mail Gateway: pmg-api, libpve-http-server-perl

Details:
Insufficient safeguards against malicious API response values allowed authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges to download arbitrary host files via the API.

Two instances of this issue were discovered and reported by the Security Labs team at Snyk.
The issue was introduced in libpve-http-server-perl in version 3.2-1 (Proxmox VE/Proxmox Mail Gateway 6) with commit 6d832db ("allow 'download' to be passed from API handler").

Timeline:
2024-09-04: initial report by Snyk​
2024-09-04: initial analysis and acknowledgment by Proxmox Security Team​
2024-09-06: first iteration of patches submitted for internal review and testing​
2024-09-12: second iteration of patches submitted for internal review and testing​
2024-09-13: patches and tentative roll-out timeline submitted for feedback to Snyk​
2024-09-13: status quo of affected packages was bumped and rolled out to reduce regression potential​
2024-09-19: third iteration of patches with minor usability and backward compatibility improvements submitted for internal review and testing​
2024-09-20: Due to impact, an exception was granted to provide fixes for the EOL Proxmox VE 7 and Proxmox Mail Gateway 7 releases and a backport of the patches got submitted for internal review and testing​
2024-09-23: coordinated release of fixed packages to the Proxmox VE and Proxmox Mail Gateway repositories of the 7 and 8 release series.​
2024-11-18: Add a reference to Snyk's just-released report​

Fixed:
- Proxmox VE 8:
pve-manager >= 8.2.7, libpve-storage-perl >= 8.2.5, libpve-http-server-perl >= 5.1.1,​
(libpve-common-perl >= 8.2.3, only cosmetic changes to reduce misuse potential)​

- Proxmox Mail Gateway 8:
pmg-api >= 8.1.4, libpve-http-server-perl >= 5.1.1, (libpve-common-perl >= 8.2.5)​

- Proxmox Virtual Environment 7:
pve-manager >= 7.4-19, libpve-storage-perl >= 7.4-4, libpve-http-server-perl >= 4.3.0​

- Proxmox Mail Gateway 7:
pmg-api >= 7.3-12, libpve-http-server-perl >= 4.3.0​

References:
- CVE-2024-21545 (reserved)
- https://snyk.io/articles/proxmox-ve-cve-2024-21545-tricking-the-api/
 
Last edited:

Subject: PSA-2024-00010-1: Proxmox VE iSCSI plugin volume path confusion​


Advisory date: 2024-11-20

Packages: libpve-storage-perl

Details:
On a Proxmox VE system with an active storage of type 'iscsi', a sufficiently privileged user can trick the system into accessing arbitrary host block devices, including passing them through into guests as volume, instead of such access being limited to iSCSI LUNs belonging to that storage
instance/iSCSI target.

Sufficient privs in this case means having permissions for both Datastore.Allocate on an iSCSI storage and VM.Config.Disk on a virtual machine.
If only the built-in access roles were used, the roles with the smallest privilege set that would allow this to be exploited would be a combination of both PVEDatastoreAdmin and PVEVMAdmin, or for a single role, PVEAdmin.

This issue was discovered internally, there are no known instances of it being exploited.

Fixed:
- libpve-storage-perl version 8.2.6

References: None
 

Subject: PSA-2024-00013-1: Proxmox VE OVA/OVF importer: Insufficient validation of untrusted input​


Advisory date: 2024-12-11

Packages:

- libpve-storage-perl == 8.2.8 (pvetest and pve-no-subscription only)

Details:
On a Proxmox VE system with an active storage with content type "import", a sufficiently privileged attacker could import a specifically crafted OVA appliance and obtain a VM whose disk contains a copy of an arbitrary host file chosen by the attacker.

The required privileges are:
- Datastore.Audit and Datastore.AllocateTemplate on a storage with content type "import", to upload the crafted OVA appliance.
- Necessary privileges for creating a VM from the OVA appliance, including (but not limited to) Datastore.Audit and Datastore.AllocateSpace on a VM disk storage.

This issue was discovered internally, there are no known instances of it being exploited.

Fixed:
- libpve-storage-perl 8.2.9
- libpve-storage-perl <= 8.2.7 are unaffected as these versions do not implement OVA/OVF uploads
 

Subject: PSA-2024-00014-1: image format confusion issues​


Advisory date: 2024-12-11

Packages: libpve-storage-perl, qemu-server, proxmox-backup-file-restore

Details:
Multiple ways of tricking a Proxmox VE system into using specially crafted, user-provided image data with an unexpected format were discovered. Some instances of this issue include resolving references to arbitrary host files, effectively providing read or - in some instances - write access to such files.

All known instances of these issues require some combination of the following as pre-requisite:
- direct access to a VM guest (shell, SSH, ..)
- VM.Config.Disk or VM.Config.CDROM privileges on a VM guest
- VM.Backup, VM.Clone or VM.Allocate privileges on a VM guest
- Datastore.AllocateTemplate privileges on a storage
- privileges to create a PBS backup snapshot

These issues were discovered, analyzed and fixed internally. There are no known instances of them being exploited. Upgrading affected Proxmox VE systems as soon as possible is recommended.

Fixed: qemu-server >= 8.3.2, libpve-storage-perl >= 8.3.0, proxmox-backup-file-restore >= 3.3.2-1
 

Subject: PSA-2024-00016-1: XSS via Qemu guest agent response​


Advisory date: 2024-12-18

Packages: pve-manager

Details:
The VM summary panel of the Proxmox VE web interface was missing encoding of values returned by the QEMU Guest Agent (QGA). A malicious agent implementation inside the VM could return arbitrary content that would be injected into the rendered page.

This issue was reported by Jens Krabbenhöft.

Fixed: pve-manager >= 8.3.2
 

Subject: PSA-2025-00001-1: Image format confusion with hot-changed CDROM media​


Advisory date: 2025-01-21

Packages: qemu-server

Details: Missing checks when hot-swapping a CDROM drive's media could result in an image's format being automatically detected without proper verification, potentially allowing an attacker with VM.Config.CDROM privileges to read arbitrary host files.

This issue was discovered and fixed internally.

Fixed: qemu-server >= 8.3.5
 

Subject: PSA-2025-00002-1: UI: missing HTML-encoding of potentially user-provided data​


Advisory date: 2025-01-21

Packages: pve-manager, proxmox-widget-toolkit

Details: Some fields displayed in the web interface could contain potentially user-provided data without escaping contained HTML tags before rendering.

This issue was discovered and fixed internally.

Fixed: pve-manager >= 8.3.3, proxmox-widget-toolkit >= 4.3.4
 

Subject: PSA-2025-00003-1: Missing format enforcement for snapshot state volumes​


Advisory date: 2025-02-18

Packages: pve-qemu-kvm

Details: An attacker could cause Qemu to load a malicious snapshot state volume triggering arbitrary host file reads. A successful attack requires VM.Config.Snapshot and VM.Config.Disk privileges.

This issue was discovered and fixed internally.

Fixed: pve-qemu-kvm 9.0 >= 9.0.2-5 or pve-qemu-kvm >= 9.1.2-3
 

Subject: PSA-2025-00004-1: Automatic format detection in vma create, used for template VMs​


Advisory date: 2025-02-25

Packages: pve-qemu-kvm, qemu-server

Details:
The vma create CLI command lacked an option to specify an explicit format for images to be included in the created backup archive.
Creating a backup of a malicious image file could cause vma to include arbitrary host file data in the backup.

Within Proxmox VE, vma create is only used to create VMA-based backups of template VMs.
It does not affect non-template VMs or backups that do not use the VMA format, such as container backups in general or VM backups to Proxmox Backup Server targets.

Users calling vma create manually or in scripts on potentially untrusted images are advised to adjust these calls to include the expected image format to avoid auto-detection and possible format confusion within vma.

Fixed: pve-qemu-kvm 9.0 >= 9.0.2-5 or pve-qemu-kvm >= 9.1.2-3 and qemu-server >= 8.3.8
 

Subject: PSA-2025-00005-1: Various SecureBoot bypasses, data integrity violations and sensitive data leaks in Grub​


Advisory date: 2025-03-06

Packages: grub-pc-bin, grub-efi-amd64-bin, grub-efi-amd64-signed, grub-efi-amd64-unsigned

Details:

21 issues in Grub's codebase were found that could allow an attacker to bypass Secure Boot protections (if enabled), leak sensitive data from Grub's environment or configuration or violate other integrity protections within Grub.

Fixed:
- grub-pc-bin (>= 2.06-13+pmx5)
- grub-efi-amd64-bin (>= 2.06-13+pmx5)
- grub-efi-amd64-unsigned (>= 2.06-13+pmx5)
- grub-efi-amd64-signed (>= 1+2.06+13+pmx5)
- proxmox-secure-boot-policies (>= 0.0~git20240117.c443a5f-5)
- proxmox-secure-boot-policies-amd64-signed (>= 0.0~git20240117.c443a5f-5)

To fully prevent downgrade attacks after upgrading to fixed versions of the packages, see the instructions in our wiki:

https://pve.proxmox.com/wiki/Secure_Boot_Setup#Setting_a_Stricter_Revocation_Policy

References:
CVE-2024-45774: reader/jpeg: Heap OOB Write during JPEG parsing.
CVE-2024-45775: commands/extcmd: Missing check for failed allocation.
CVE-2024-45776: grub-core/gettext: Integer overflow leads to Heap OO Write and Read.
CVE-2024-45777: grub-core/gettext: Integer overflow leads to Heap OOB Write.
CVE-2024-45778: fs/bfs: Integer overflow in the BFS parser.
CVE-2024-45779: fs/bfs: Integer overflow leads to Heap OOB Read (Write?) in the BFS parser.
CVE-2024-45780: fs/tar: Integer Overflow causes Heap OOB Write.
CVE-2024-45781: fs/ufs: OOB write in the heap.
CVE-2024-45782: fs/hfs: strcpy() using the volume name (fs/hfs.c:382)
CVE-2024-45783: fs/hfs+: refcount can be decremented twice
CVE-2025-0622: command/gpg: Use-after-free due to hooks not being removed on module unload
CVE-2025-0624: net: Out-of-bounds write in grub_net_search_config_file()
CVE-2025-0677: UFS: Integer overflow may lead to heap based out-of-bounds write when handling symlinks
CVE-2025-0678: squash4: Integer overflow may lead to heap based out-of-bounds write when reading data
CVE-2025-0684: reiserfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
CVE-2025-0685: jfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
CVE-2025-0686: romfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
CVE-2025-0689: udf: Heap based buffer overflow in grub_udf_read_block() may lead to arbitrary code execution
CVE-2025-0690: read: Integer overflow may lead to out-of-bounds write
CVE-2025-1118: commands/dump: The dump command is not in lockdown when secure boot is enabled
CVE-2025-1125: fs/hfs: Integer overflow may lead to heap based out-of-bounds write
 
Status
Not open for further replies.
Top Bottom