CVE-2024-21545 Overview
CVE-2024-21545 is an arbitrary file read vulnerability affecting Proxmox Virtual Environment, an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with Sys.Audit or VM.Monitor privileges to download arbitrary host files via the API.
When handling the result from a request handler before returning it to the user, the handle_api2_request function checks for the download or data->download objects inside the request handler call response object. If present, handle_api2_request will read a local file defined by this object and return it to the user. Two endpoints were identified which can control the object returned by a request handler sufficiently that the download object is defined and user controlled, resulting in arbitrary file read.
Critical Impact
This vulnerability can result in full compromise of the system through disclosure of sensitive files, enabling privileged session forgery and complete system takeover.
Affected Products
- Proxmox Virtual Environment (versions prior to patched release)
- Proxmox VE API Server (pve-http-server)
- Systems running vulnerable Proxmox VE installations
Discovery Timeline
- September 25, 2024 - CVE-2024-21545 published to NVD
- September 26, 2024 - Last updated in NVD database
Technical Details for CVE-2024-21545
Vulnerability Analysis
This vulnerability is classified as CWE-73 (External Control of File Name or Path), allowing authenticated attackers to manipulate API responses to read arbitrary files from the host system. The flaw exists in the Proxmox VE HTTP server's API request handling mechanism, specifically within the handle_api2_request function located in the PVE/APIServer/AnyEvent.pm module.
The vulnerability requires network access and authentication with either Sys.Audit or VM.Monitor privileges. While the attack complexity is high due to the specific conditions required for exploitation, successful exploitation can have severe consequences including cross-scope impact on confidentiality and integrity.
The arbitrary file read capability is particularly dangerous in virtualization environments where configuration files, certificates, and authentication tokens may contain sensitive information that could be leveraged for further attacks.
Root Cause
The root cause stems from insufficient validation of API response objects. The handle_api2_request function trusts the download object within API responses without adequately verifying that the file path specified is within an allowed scope. This allows attackers who can influence the response object to specify arbitrary file paths for download, bypassing intended access controls.
The vulnerable code path checks for download or data->download objects in the response and proceeds to read the specified file from the local filesystem without proper sanitization or access control validation.
Attack Vector
The attack is network-based, requiring an authenticated attacker with specific privileges (Sys.Audit or VM.Monitor). The attacker exploits the API by crafting requests that manipulate the response handler to include a user-controlled download object pointing to sensitive system files.
The exploitation flow involves:
- Authenticating to the Proxmox VE API with valid credentials possessing Sys.Audit or VM.Monitor privileges
- Identifying vulnerable API endpoints that allow control over the response object
- Crafting malicious requests that inject a download object with a path to a target file
- The handle_api2_request function processes the response and reads the specified file
- The attacker receives the contents of the arbitrary file in the API response
Sensitive files that could be targeted include /etc/shadow, /etc/pve/priv/authkey.key, SSL certificates, and other authentication tokens that could enable session forgery or privilege escalation.
Detection Methods for CVE-2024-21545
Indicators of Compromise
- Unusual API requests from users with Sys.Audit or VM.Monitor privileges accessing unexpected endpoints
- API responses containing file contents that should not be accessible through normal operations
- Access logs showing repeated requests to the same API endpoints with varying parameters
- Authentication attempts using forged sessions following API exploitation
Detection Strategies
- Monitor Proxmox API access logs for anomalous request patterns, particularly targeting endpoints that could influence response objects
- Implement file access auditing on sensitive system files such as /etc/pve/priv/, /etc/shadow, and certificate directories
- Deploy network-based detection for API responses containing unexpected file content or system configuration data
- Correlate authentication events with API access patterns to identify potential session forgery attempts
Monitoring Recommendations
- Enable verbose logging for Proxmox API server to capture detailed request and response information
- Implement SIEM rules to alert on access to sensitive file paths through API endpoints
- Monitor for new or unusual sessions that may indicate successful session forgery
- Establish baseline API usage patterns for privileged users to detect anomalous behavior
How to Mitigate CVE-2024-21545
Immediate Actions Required
- Apply the latest security patches from Proxmox as documented in the Proxmox Security Advisory
- Review and restrict users with Sys.Audit and VM.Monitor privileges to minimize attack surface
- Audit API access logs for any suspicious activity that may indicate exploitation attempts
- Consider implementing additional network segmentation to limit API access to trusted networks only
Patch Information
Proxmox has released security patches addressing this vulnerability. Administrators should consult the official Proxmox Security Advisory for detailed patching instructions and affected version information.
The fix addresses the insufficient validation in the handle_api2_request function to ensure that file download operations are properly restricted to authorized paths. Technical details of the vulnerable code can be reviewed in the Proxmox API Server Code Review.
Workarounds
- Temporarily revoke Sys.Audit and VM.Monitor privileges from non-essential users until patches can be applied
- Implement network-level access controls to restrict API access to management interfaces only
- Deploy a web application firewall (WAF) or API gateway with rules to inspect and filter suspicious API requests
- Enable strict audit logging and monitoring while awaiting patch deployment
# Example: Restrict API access via firewall rules
# Limit access to Proxmox API port to trusted management networks only
iptables -A INPUT -p tcp --dport 8006 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8006 -j DROP
# Review users with elevated privileges
pveum user list | grep -E "Sys.Audit|VM.Monitor"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
