CVE-2024-21545
📋 TL;DR
This vulnerability allows authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges in Proxmox Virtual Environment to read arbitrary files on the host system via API endpoints. Attackers can exploit insufficient validation of API response values to download sensitive files, potentially leading to full system compromise. All Proxmox VE installations with vulnerable versions are affected.
💻 Affected Systems
- Proxmox Virtual Environment
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through disclosure of sensitive files like SSH keys, configuration files, or authentication tokens, enabling privileged session forgery and lateral movement.
Likely Case
Unauthorized access to sensitive host files containing credentials, configuration data, or virtual machine data, leading to data breach and potential privilege escalation.
If Mitigated
Limited impact if proper access controls, network segmentation, and monitoring are in place to detect and block suspicious API activity.
🎯 Exploit Status
Exploitation requires authenticated access with specific privileges but is straightforward once those are obtained. No public exploit code is mentioned in the CVE.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Proxmox security advisory for specific patched version
Vendor Advisory: https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/post-705345
Restart Required: Yes
Instructions:
1. Check current Proxmox VE version. 2. Apply the latest security update via 'apt update && apt dist-upgrade'. 3. Restart Proxmox services or reboot the host.
🔧 Temporary Workarounds
Restrict API Access
linuxLimit API access to trusted networks and implement strict firewall rules to reduce attack surface.
iptables -A INPUT -p tcp --dport 8006 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 8006 -j DROP
Minimize Privilege Assignment
allReview and reduce the number of users with 'Sys.Audit' or 'VM.Monitor' privileges to only those absolutely necessary.
🧯 If You Can't Patch
- Implement network segmentation to isolate Proxmox management interface from untrusted networks
- Enhance monitoring of API logs for unusual file access patterns and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check Proxmox VE version against the patched version in the security advisory. Vulnerable if running a version before the fix.Check Version:
pveversionVerify Fix Applied:
Verify that the Proxmox VE version has been updated to the patched version and test that API endpoints no longer allow arbitrary file downloads.📡 Detection & Monitoring
Log Indicators:
- Unusual API requests to endpoints that could trigger file downloads
- Multiple failed or successful file access attempts via API from single user
Network Indicators:
- Abnormal traffic patterns to Proxmox API port (typically 8006) with file download requests
SIEM Query:
source="proxmox" AND (event="api_request" AND (url_path="/api2/json/" AND parameters CONTAINS "download"))