From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: James Brown <randomvoidmail@foxmail.com>,
Fabio Fantoni via pve-devel <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] Arbitrary file reading via malicious VM config
Date: Wed, 27 Nov 2024 09:09:10 +0100 [thread overview]
Message-ID: <03e65d1b-2c75-4a8e-8d4a-82d3511c5c23@proxmox.com> (raw)
In-Reply-To: <tencent_C3D2C670AE0CC99C45BA8C83853D3BDE0205@qq.com>
Hello,
First, if you, or anybody else, think they found a problem with security implications
then please use our dedicated confidential channels for evaluating that initially:
https://pve.proxmox.com/wiki/Security_Reporting
If it's a real problem then other users might not be happy about a public broadcast
for all potential attackers to read and basically act as how-to.
Am 27.11.24 um 01:14 schrieb James Brown:
> I suspect a security flaw within ESXi VM import. If a malicious actor forges a
> VMWare VM config with root paths such as /var/log/auth.log, could lead to potential
> data leak if the import task is executed.
The core assumption is that the admin doing the import fully controls both sides,
VMWare ESXi and Proxmox VE.
As otherwise this feature makes no sense, if the ESXi isn't trusted, it can do all
sorts of bad things that just cannot be protected against, like e.g., inject some
rootkits into the VM data stream at any time. And yes, it might also leak some
data from the PVE host.
For OVA imports we hedge against that by disallowing disks with additional/external
references. For ESXi we do not do so because 1) it's more common there to have legit
references in the disks (which are not trivial to tell apart from bad ones) and 2)
because compared to allowing third-party/not fully trusted users uploading images
allowing one to add an ESXi storage and then import from there is IMO a rather
non-existent use case, and that would also mean that ESXi and Proxmox VE are either
in the same LAN or tunneled, as otherwise they should be shielded off from public
access already anyway.
But do you have an actual use case we missed and would break our assumptions here?
What we might do is documenting this more explicitly, possibly even showing a hint
in the UI.
- Thomas
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next parent reply other threads:[~2024-11-27 8:09 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <tencent_C3D2C670AE0CC99C45BA8C83853D3BDE0205@qq.com>
2024-11-27 8:09 ` Thomas Lamprecht [this message]
2024-11-27 8:15 ` Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=03e65d1b-2c75-4a8e-8d4a-82d3511c5c23@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=randomvoidmail@foxmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox