===============================================
User enumeration vulnerability in Proxmox < 3.2
===============================================

Description
===========

Proxmox VE is a complete open source virtualization management solution for servers. It is based on KVM virtualization and container-based virtualization and manages virtual machines, storage, virtualized networks, and HA Clustering.

Vulnerability details
=====================

When trying to authenticate on the proxmox web interface, an ajax request is sent to the server with the username and password entered by the user. The server returns a message in the ajax request :

* If the user does not exist in the server the message will be : "Username does not exist"
* If the user exist but the password is not correct the message is : "Authentification failed"

This message results in a leak of information that may be used to deduce whether the username exists or not.

Note that this vulnerability was tested on Proxmox VE server version 3.1 but seems to affect every 2.x versions as well. Only PAM authentication method has been tested but we assume it works on PVE method too.

**Access Vector**: remote

**Security Risk**: low

**Vulnerability**: CWE-204

**CVE-ID**: CVE-2014-4156

Solution
========

Upgrade to Proxmox VE version 3.2.

Affected versions
=================

* Proxmox VE versions <= 3.1

Disclosure Timeline
===================

* 2013/11/13: Vendor contacted
* 2013/11/19: Vendor fixed the vulnerability
* 2014/03/10: Vendor released Proxmox VE 3.2

Credits
=======

* Romain E SILVA, Sysdream (r.esilva -at- sysdream -dot- com)

Contact
=======

* Website: http://www.sysdream.com
* Twitter: @sysdream

ProxmoxVE-3.1.pdf