Impact Analysis

This vulnerability can lead to unauthorized privilege escalation on the affected system.

An attacker with access to the terraform user could exploit the insecure sudoers configuration to write or modify arbitrary files anywhere on the system by escaping the intended directory restrictions.

This could allow the attacker to add malicious sudoers files, granting themselves full root privileges and complete control over the system.

Such unauthorized root-level access compromises system integrity, confidentiality, and availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Executive Summary

This vulnerability is a path traversal issue in the sudoers configuration recommended by the Terraform / OpenTofu Provider for Proxmox Virtual Environment prior to version 0.93.1.

The insecure sudoers line allowed the terraform user to run the `tee` command with root privileges on any file within a directory like `/var/lib/vz/*` using a wildcard. Because of this, an attacker could exploit directory traversal sequences (e.g., `../`) to escape the intended directory and modify arbitrary system files.

For example, the terraform user could write a malicious sudoers file outside the allowed directory, granting themselves full root privileges, effectively escalating their access on the system.

The vulnerability was fixed by restricting the sudoers rule to only allow writing to a specific `snippets` subdirectory with a strict filename pattern, preventing path traversal attacks.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking the sudoers configuration for insecure rules that allow the terraform user to run the tee command with wildcard paths that enable directory traversal.'}, {'type': 'paragraph', 'content': 'Specifically, look for sudoers lines like: terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/* or similar patterns that allow tee to write to any file under a directory.'}, {'type': 'paragraph', 'content': 'To identify the mount point of the datastore on the Proxmox node, you can use the command:'}, {'type': 'list_item', 'content': 'pvesh get /storage/<name>'}, {'type': 'paragraph', 'content': 'To test if the vulnerability exists, you can attempt a proof of concept command as the terraform user (if you have access), for example:'}, {'type': 'list_item', 'content': 'echo "ALL=(ALL) NOPASSWD:ALL" | tee /var/lib/vz/../../../etc/sudoers.d/sudo'}, {'type': 'paragraph', 'content': 'If this command succeeds in creating or modifying files outside the intended directory, the system is vulnerable.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': "The immediate mitigation step is to update the sudoers configuration to restrict the terraform user's ability to run the tee command only on specific, allowed file paths with strict filename patterns."}, {'type': 'paragraph', 'content': 'Replace insecure wildcard sudoers lines like:'}, {'type': 'list_item', 'content': 'terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/*'}, {'type': 'paragraph', 'content': 'With a more restrictive rule such as:'}, {'type': 'list_item', 'content': 'terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/snippets/[a-zA-Z0-9_][a-zA-Z0-9_.-]*'}, {'type': 'paragraph', 'content': 'For other datastores, similarly restrict the path, for example:'}, {'type': 'list_item', 'content': 'terraform ALL=(root) NOPASSWD: /usr/bin/tee /mnt/pve/cephfs/snippets/[a-zA-Z0-9_][a-zA-Z0-9_.-]*'}, {'type': 'paragraph', 'content': 'Additionally, update the terraform-provider-proxmox to version 0.93.1 or later where this issue is patched.'}, {'type': 'paragraph', 'content': 'Avoid using wildcard patterns in sudoers rules that allow the tee command to write to arbitrary files.'}] [1, 2]

Useful 0 Not Useful 0