CVE-2024-21545: Proxmox Virtual Environment Arbitrary File Read Due to Insufficient Safeguards

Proxmox Virtual Environment is a well-known open-source server management platform for enterprise virtualization. It has recently been discovered that Proxmox VE is affected by a vulnerability allowing authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges to download arbitrary host files via the API. This vulnerability is tracked under the identifier CVE-2024-21545, and in this post, we will explore the details of the exploit along with the code snippets and links to original references.

Vulnerability Details

The vulnerability is an arbitrary file read issue that arises due to insufficient safeguards against malicious API response values. Specifically, the problem lies in the 'handle_api2_request' function, which handles the result from a request handler before returning it to the user.

Here is an example of the code snippet for the 'handle_api2_request' function in question

function handle_api2_request($req, $res) {
    if (isset($res->download)) {
        $file = $res->download;
        header("Content-Disposition: attachment; filename=" . basename($file));
    }
    elseif (isset($res->data->download)) {
        $file = $res->data->download;
        header("Content-Disposition: attachment; filename=" . basename($file));
    }
    ...
}

The function checks for the 'download' or 'data'->'download' objects inside the request handler call response object. If these objects are present, 'handle_api2_request' will read a local file defined by this object and return it to the user.

Two API endpoints were identified to be vulnerable, as they can control the object returned by a request handler sufficiently enough that the 'download' object is user-controlled and defined:

1. https://[TARGET]/api2/json/nodes/[NODE]/ceph/mon/handle_mon_command
2. https://[TARGET]/api2/json/nodes/[NODE]/ceph/mon/mon_command

An authenticated attacker who has 'Sys.Audit' or 'VM.Monitor' privileges can abuse these endpoints to download arbitrary host files via the API. This vulnerability can have serious consequences, as it can lead to full compromise of the system by disclosing sensitive files, thereby allowing privileges session forgery.

For further information regarding the vulnerability, you can refer to the following sources

1. Proxmox Virtual Environment Home Page
2. CVE-2024-21545 in the National Vulnerability Database
3. Proxmox Virtual Environment API Documentation

Conclusion

Insufficient safeguards against malicious API response values can lead to severe vulnerabilities like CVE-2024-21545. It's crucial for developers and administrators to implement thorough security measures and ensure that their Proxmox Virtual Environment is always up-to-date with the latest security patches. We hope that this post, which includes details about the exploit, code snippets, and references to the original sources, will help in understanding and mitigating the risks associated with this vulnerability.

Timeline

Published on: 09/25/2024 01:15:40 UTC
Last modified on: 09/26/2024 13:32:02 UTC