Proxmox VE, Sudoers Misconfiguration Vulnerability (Critical)

Listen to this Post

The vulnerability stems from an insecure sudoers configuration recommended in SSH documentation for Proxmox VE systems integrating Terraform. A suggested sudoers entry grants the Terraform user password-less root execution of the tee command restricted to the /var/lib/vz/ directory path. This wildcard allowance does not sanitize or prevent directory traversal sequences. Consequently, an authenticated Terraform user can exploit the ../ sequence to escape the intended directory boundary. By crafting a tee command target with ../, such as /var/lib/vz/../../../etc/sudoers.d/sudo, the user can write to any file on the filesystem. The proof-of-concept demonstrates this by piping a new sudoers policy that grants universal root access without a password into the tee command. Since tee executes with root privileges via the sudoers entry, it successfully writes the malicious policy to a system directory. This effectively bypasses all intended restrictions, granting the Terraform user full administrative control over the host. The core issue is the lack of path validation in the sudoers command specification, allowing argument manipulation that leads to arbitrary file write.
Platform: Proxmox VE
Version: All versions
Vulnerability: Sudoers privilege escalation
Severity: Critical
Date: 2024-08-01

Prediction: Patch date TBD

What Undercode Say:

Analytics

sudoers line: terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/

exploit command: echo “ALL=(ALL) NOPASSWD:ALL” | sudo tee /var/lib/vz/../../../etc/sudoers.d/sudo

Exploit

Authenticated terraform user executes path-traversal tee command to write arbitrary sudoers file, gaining root.

Protection from this CVE

Use strict regex sudoers rule: terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/snippets/[A-Za-z0-9-].yaml

Impact

Full system compromise via root access escalation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top