SB2024110139 - Multiple vulnerabilities in CyberPanel

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper authentication (CVE-ID: CVE-2024-51567)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to improper authentication within upgrademysqlstatus in databases/views.py. A remote non-authenticated attacker can send a specially crafted HTTP POST request to the /dataBases/upgrademysqlstatus endpoint, bypass authentication and execute arbitrary OS commands on the system.

Note, the vulnerability is being actively exploited in the wild.

2) Improper Authentication (CVE-ID: CVE-2024-51378)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to improper authentication within getresetstatus in dns/views.py. A remote non-authenticated attacker can send a specially crafted HTTP POST request to the  /dns/getresetstatus or /ftp/getresetstatus endpoints, bypass authentication and execute arbitrary OS commands on the system.

Remediation

Install update from vendor's website.

References

• https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce
• https://github.com/usmannasir/cyberpanel/commit/5b08cd6d53f4dbc2107ad9f555122ce8b0996515
• https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel
• https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/
• https://x.com/leak_ix/status/1851608316130025856
• https://github.com/usmannasir/cyberpanel/commit/1c0c6cbcf71abe573da0b5fddfb9603e7477f683
• https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/