Proxmox Virtual Environment and Mail Gateway Exposed to Critical API Vulnerability
A critical vulnerability has been identified in Proxmox Virtual Environment (VE) and Proxmox Mail Gateway (PMG) that could allow unauthorized access to sensitive files and potentially lead to a full system compromise. The vulnerability, tracked as CVE-2024-21545 with a CVSS score of 8.2, stems from insufficient safeguards in handling API responses, enabling attackers with specific privileges to download arbitrary host files.
The Security Labs team at Snyk discovered the issue and impacted various versions of Proxmox VE (versions 6 to 8) and Proxmox Mail Gateway (versions 6 to 8). The core of the vulnerability lies within the libpve-http-server-perl component, which, under certain conditions, allows authenticated users with ‘Sys.Audit’ or ‘VM.Monitor’ privileges to manipulate API responses to include arbitrary file paths, resulting in unauthorized downloads.
Exploitation Potential and Impacts:
- Sensitive Data Exposure: Attackers could gain access to confidential information such as system configurations, user credentials, or private keys.
- Privilege Escalation: Downloaded files could contain information or vulnerabilities leading to elevated privileges, potentially granting full control over the system.
- Remote Code Execution: In severe scenarios, malicious actors could execute arbitrary code on the affected systems, leading to complete system compromise.
Urgency and Remediation:
Proxmox has released security updates addressing this vulnerability. Users are strongly advised to apply these updates immediately:
- Proxmox VE 8: Upgrade to pve-manager >= 8.2.7, libpve-storage-perl >= 8.2.5, and libpve-http-server-perl >= 5.1.1.
- Proxmox Mail Gateway 8: Upgrade to pmg-api >= 8.1.4 and libpve-http-server-perl >= 5.1.1.
- Proxmox VE 7: Upgrade to pve-manager >= 7.4-19, libpve-storage-perl >= 7.4-4, and libpve-http-server-perl >= 4.3.0.
- Proxmox Mail Gateway 7: Upgrade to pmg-api >= 7.3-12 and libpve-http-server-perl >= 4.3.0.
