All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Security Flaw In OVH/Kimsufi/SoYouStart Proxmox Installations
Hello,
On May 2, 2017 at 16:00 CEST, a security flaw was detected in our Proxmox 4 installations.
In order to use Proxmox in a ‘cluster’ configuration (Proxmox VE Cluster), a pair of SSH keys is automatically generated to facilitate communication between the different physical nodes of the cluster.
Our system that generates the distribution (March 16, 2017 at 12:26 CEST) did not correctly those pair of keys, making possible the connection between two client machines.
Consequently, we deactivated Proxmox 4 installations on May 2, 2017 at 16:02 CEST. Proxmox 4 installations made between March 16, 2017 (12:26 CEST) and May 2, 2017 (16:02 CEST) are affected. All installations made prior to and after these dates are secure.
Please find below the chronology of our actions:
- Deactivation of the vulnerable build (2017-05-02 16:02 CEST).
- Creation of a new secure build (2017-05-02 17:51 CEST).
- Put in production the new secure build (2017-05-02 17:57 CEST).
In order to reduce the attack surface and as a measure of precaution, we used the private key available in the image to remove the public key which corresponds to the authorize keys file found in ‘/etc/pve/priv’. The traditional "/root/.ssh/authorized_keys" file being a symbolic link to the latter.
We are not able to intervene on the Proxmox configurations configured in cluster mode, without disrupting service.
We have logged in your manager our intervention under the reference: 'Remote Intervention OVH for correction Proxmox installation'.
The corrective action taken is not a permanent solution because in order to fully secure your configuration, the new pair of keys must be generated by you. If you restart the ‘pve-cluster’ service (also in case of server reboot), the previous SSH key will be redeployed, making the server vulnerable again.
It is strongly advised that you conduct a complementary analysis of your system.
In order to help you, the following script will secure your infrastructure:
- wget ftp://ftp.ovh.net/made-in-ovh/dedie/proxmox4-fixssh.sh
- chmod +x proxmox4-fixssh.sh
- ./proxmox4-fixssh.sh
Here is the list of your server(s) that are impacted by this issue:
We apologies for any inconvenience. We have taken all measures necessary to prevent a reoccurrence of this issue.
OVH Team
Our Dedicated Server support is accessible 24h/24, 7j/7
Online Help : https://forum.kimsufi.com/
Our maintenance : http://travaux.ovh.net/
Comments
Yep I received that email as well although I don't use proxmox.. pretty bad for customers that are using proxmox to rent vps's with.
I installed proxmox and was logged into the interface or web gui. I reinstalled proxmox while still having the web page open. After receiving the password e-mail from OVH Support I went to login in again and did not have to, it still allowed me to have access. I though it was just a glitched this happened although the root passwords had been changed. God bless!
I got that too. Shit happens.
So, they used these keys to enter to the client machines and fix it? Or I am not getting this right
TL:DR they generate additional ssh keys behind ur back so you can link multiple ovh servers to a cluster. Now theyre telling they fucked up and released fix script for us.