Описание
terraform-provider-proxmox has insecure sudo recommendation in the documentation
Note: It is uncertain whether this constitutes a vulnerability or should be filed as an issue instead.
Summary
In the SSH configuration documentation, the sudoer line that was suggested can be escalated to edit any files in the system.
Details
The following line were suggested for addition in the sudoers file:
But this is highly insecure as the folder can be escaped using ../ and any files can be edited on the system.
PoC
Using a terraform user with the previously mentioned line in the /etc/sudoers file, a /etc/sudoers.d/sudo file can be added using this command:
echo "ALL=(ALL) NOPASSWD:ALL" | tee /var/lib/vz/../../../etc/sudoers.d/sudo
This grants access to the full root of the node.
Impact
This breaches the access limits of the Terraform user.
Suggested workaround
Use a strict regex on the command to allow only the names that should be pushed by this user.
Example for cloudinit yaml files:
Пакеты
github.com/bpg/terraform-provider-proxmox
< 0.93.1
0.93.1
Связанные уязвимости
Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This issue has been patched in version 0.93.1.
Terraform / OpenTofu Provider adds support for Proxmox Virtual Environ ...