Hello, First, if you, or anybody else, think they found a problem with security implications then please use our dedicated confidential channels for evaluating that initially:
https://pve.proxmox.com/wiki/Security_Reporting If it's a real problem then other users might not be happy about a public broadcast for all potential attackers to read and basically act as how-to. Am 27.11.24 um 01:14 schrieb James Brown: > I suspect a security flaw within ESXi VM import. If a malicious actor forges a > VMWare VM config with root paths such as /var/log/auth.log, could lead to > potential > data leak if the import task is executed. The core assumption is that the admin doing the import fully controls both sides, VMWare ESXi and Proxmox VE. As otherwise this feature makes no sense, if the ESXi isn't trusted, it can do all sorts of bad things that just cannot be protected against, like e.g., inject some rootkits into the VM data stream at any time. And yes, it might also leak some data from the PVE host. For OVA imports we hedge against that by disallowing disks with additional/external references. For ESXi we do not do so because 1) it's more common there to have legit references in the disks (which are not trivial to tell apart from bad ones) and 2) because compared to allowing third-party/not fully trusted users uploading images allowing one to add an ESXi storage and then import from there is IMO a rather non-existent use case, and that would also mean that ESXi and Proxmox VE are either in the same LAN or tunneled, as otherwise they should be shielded off from public access already anyway. But do you have an actual use case we missed and would break our assumptions here? What we might do is documenting this more explicitly, possibly even showing a hint in the UI. - Thomas _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
