CVE-2024-21545

External Control of File Name or Path (CWE-73)

Published: Sep 25, 2024 / Updated: 56d ago

010
CVSS 8.2EPSS 0.04%High
CVE info copied to clipboard

Summary

Proxmox Virtual Environment, an open-source server management platform for enterprise virtualization, has a vulnerability in its API response handling. Insufficient safeguards against malicious API response values allow authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges to download arbitrary host files via the API. The handle_api2_request function checks for 'download' or 'data'->'download' objects in the request handler call response object. If present, it reads and returns a local file defined by this object to the user. Two endpoints were identified where users can control the object returned by a request handler, allowing the 'download' object to be user-controlled, resulting in arbitrary file read.

Impact

This vulnerability can lead to arbitrary file read with the potential for full system compromise. Attackers can disclose sensitive files, which may allow for privileged session forgery. The impact is severe, with high confidentiality and integrity impacts. The CVSS v3.1 base score is 8.2 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N. This indicates a network-based attack vector, high attack complexity, low privileges required, no user interaction needed, and a changed scope. Both confidentiality and integrity impacts are high, though availability impact is none.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

The vulnerability data does not explicitly mention a patch. However, given the recent publication date (September 25, 2024) and the detailed description of the vulnerability, it's likely that a patch is being developed or may have been recently released. The security team should check for the latest updates from Proxmox and apply any available patches as soon as possible.

Mitigation

While waiting for an official patch, consider the following mitigation strategies: 1. Restrict access to the Proxmox Virtual Environment API, especially for users with 'Sys.Audit' or 'VM.Monitor' privileges. 2. Implement network segmentation to limit the exposure of the Proxmox management interface. 3. Monitor and audit API access logs for any suspicious activities or unauthorized file access attempts. 4. If possible, temporarily disable or restrict the functionality of the two vulnerable endpoints identified (though these are not specifically named in the provided data). 5. Regularly review and update user privileges, adhering to the principle of least privilege. 6. Implement additional access controls or authentication mechanisms for sensitive file operations. 7. Consider using intrusion detection/prevention systems (IDS/IPS) to monitor for potential exploitation attempts.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-21545. See article

Sep 24, 2024 at 8:16 AM / VulDB Recent Entries
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Sep 24, 2024 at 8:16 AM
CVE Assignment

NVD published the first details for CVE-2024-21545

Sep 25, 2024 at 1:15 AM
CVSS

A CVSS base score of 8.2 has been assigned.

Sep 25, 2024 at 1:21 AM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.6%)

Sep 25, 2024 at 9:39 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (731811)

Sep 26, 2024 at 7:53 AM
Threat Intelligence Report

CVE-2024-21545, identified in Proxmox VE 8.2.2, is a critical vulnerability that allows an authenticated attacker to fully compromise the target system, even with limited permissions. The research highlights two exploitation vectors stemming from the same root cause, but no specific details on CVSS score, exploitation in the wild, proof-of-concept exploits, mitigations, detections, patches, or downstream impacts are provided. Further investigation is necessary to assess the full implications and available defenses against this vulnerability. See article

Nov 11, 2024 at 4:28 PM
Static CVE Timeline Graph

Affected Systems

Proxmox/virtual_environment
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-13: Subverting Environment Variable Values
+null more

References

Proxmox VE CVE-2024-21545 - Tricking the API into giving you the keys
Some of these parameters are not important to us or will be discussed later, but the key parameters we can see include the path the request handler handles, the permissions check showing the we outlined earlier, the request parameters with the (annoyingly effective) validation, and finally the actual code function to be executed (snipped here because it’s pretty long). Compiling this change and executing our newly built qemu-ga binary as root inside our VM allows us to perform a valid and authenticated request against the API endpoint and it will respond with the contents of returned to us.

News

The Cyber Espresso - November 12, 2024
Welcome to the daily edition (November 12, 2024) of the Cyber Espresso, a collection and summary of various articles, reports and events discussed and shared across Mastodon under the hashtag Cybersecurity. The basic idea behind the experiment was to create a personalized summary of what has happened in the past 24 hours across the Mastodon Cybersecurity sphere.
Proxmox VE CVE-2024-21545 - Tricking the API into giving you the keys: https:// snyk.io/articles/proxmox-ve-cv e-2024-21545-tricking-the-api/ # virtualization # cybersecurity # hacking # api # redteam # cve # vulnerability # exploitation
Vulnerability Summary for the Week of September 23, 2024
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Dover Fueling Solutions (DFS)–ProGauge MAGLINK LX CONSOLE A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE UTILITY sub-menu can allow a remote attacker to inject arbitrary commands. 2024-09-25 10 CVE-2024-43693 ics-cert@hq.dhs.gov Dover Fueling Solutions (DFS)–ProGauge MAGLINK LX CONSOLE A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE IP sub-menu can allow a remote attacker to inject arbitrary commands. 2024-09-25 10 CVE-2024-45066 ics-cert@hq.dhs.gov webdevmattcrom–GiveWP Donation Plugin and Fundraising Platform The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like ‘give_title’ and ‘card_address’. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932, however, it was discovered the the presence of stripslashes_deep on user_info allows the is_serialized check to be bypassed. This issue was mostly patched in 3.16.1, but further hardening was added in 3.16.2. 2024-09-28 10 CVE-2024-8353 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com Scriptcase–Scriptcase Vulnerability in the Scriptcase application version 9.4.019, which involves the arbitrary upload of a file via /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ via a POST request. An attacker could upload malicious files to the server due to the application not properly verifying user input. 2024-09-25 10 CVE-2024-8940 cve-coordination@incibe.es n/a–n/a File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via the image upload feature when customizing a shop.
Security Bulletin 02 Oct 2024 - Cyber Security Agency of Singapore
This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing ...
Vulnerability Summary for the Week of September 23, 2024
High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source Info Patch Info Dover Fueling Solutions (DFS)--ProGauge MAGLINK LX CONSOLE A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE UTILITY sub-menu can allow a remote attacker to inject arbitrary commands. 2024-09-25 10 CVE-2024-43693 ics-cert@hq.dhs.gov Dover Fueling Solutions (DFS)--ProGauge MAGLINK LX CONSOLE A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE IP sub-menu can allow a remote attacker to inject arbitrary commands. 2024-09-25 10 CVE-2024-45066 ics-cert@hq.dhs.gov webdevmattcrom--GiveWP Donation Plugin and Fundraising Platform The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932, however, it was discovered the the presence of stripslashes_deep on user_info allows the is_serialized check to be bypassed. This issue was mostly patched in 3.16.1, but further hardening was added in 3.16.2. 2024-09-28 10 CVE-2024-8353 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com Scriptcase--Scriptcase Vulnerability in the Scriptcase application version 9.4.019, which involves the arbitrary upload of a file via /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ via a POST request. An attacker could upload malicious files to the server due to the application not properly verifying user input. 2024-09-25 10 CVE-2024-8940 cve-coordination@incibe.es n/a--n/a File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via the image upload feature when customizing a shop.
See 11 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:Low
User Interaction:None
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI