Authentication bypass in Vesta Control Panel



Published: 2018-04-09
Severity Critical
Patch available YES
Number of vulnerabilities 1
CVE ID N/A
CWE ID CWE-287
Exploitation vector Network
Public exploit This vulnerability is being exploited in the wild.
Vulnerable software
Subscribe
Vesta Control Panel
Web applications / Remote management & hosting panels

Vendor Vesta Control Panel

Security Advisory

This security advisory describes one critical risk vulnerability.

1) Improper authentication

Severity: Critical

CVSSv3: 9.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-287 - Improper Authentication

Description

The vulnerability allows a remote attacker to bypass authentication checks and gain full access to the affected system.

The vulnerability exists due to import validation of the authentication credentials in Vesta CP management interface. A remote unauthenticated attacker can send a specially crafted HTTP request to Vesta CP management interface, bypass authentication and gain full control over the affected server.

Note: this vulnerability is being actively exploited in the wild.

The attack was reportedly performed from IP addresses, located in China. The attackers created a file "/etc/cron.hourly/gcc.sh" on infected systems. If this file is present on your server, it means that you system has been compromised.

Mitigation

Install update from Vesta GIT repository:
https://github.com/serghey-rodin/vesta/commit/eaf9d89096b11daa97f8da507eb369e359cda7dd

Vulnerable software versions

Vesta Control Panel: 0.9.8-1, 0.9.8-2, 0.9.8-3, 0.9.8-4, 0.9.8-5, 0.9.8-6, 0.9.8-7, 0.9.8-8, 0.9.8-9, 0.9.8-10, 0.9.8-11, 0.9.8-12, 0.9.8-13, 0.9.8-14, 0.9.8-15, 0.9.8-16, 0.9.8-17, 0.9.8-18, 0.9.8-19

CPE External links

https://forum.vestacp.com/viewtopic.php?f=10&t=16556&start=260#p68893

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



ImmuniWeb® AI Platform for Application Security Testing