Authentication bypass in Vesta Control Panel

1) Improper authentication

EUVDB-ID: #VU11621

Risk: Critical

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: N/A

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication checks and gain full access to the affected system.

The vulnerability exists due to import validation of the authentication credentials in Vesta CP management interface. A remote unauthenticated attacker can send a specially crafted HTTP request to Vesta CP management interface, bypass authentication and gain full control over the affected server.

Note: this vulnerability is being actively exploited in the wild.

The attack was reportedly performed from IP addresses, located in China. The attackers created a file "/etc/cron.hourly/gcc.sh" on infected systems. If this file is present on your server, it means that you system has been compromised.

Mitigation

Install update from Vesta GIT repository:
https://github.com/serghey-rodin/vesta/commit/eaf9d89096b11daa97f8da507eb369e359cda7dd

Vulnerable software versions

Vesta Control Panel: 0.9.8-1 - 0.9.8-19

CPE2.3

• cpe:2.3:a:vesta_control_panel:vesta_control_panel:0.9.8-1:*:*:*:*:*:*:*
• cpe:2.3:a:vesta_control_panel:vesta_control_panel:0.9.8-2:*:*:*:*:*:*:*
• cpe:2.3:a:vesta_control_panel:vesta_control_panel:0.9.8-3:*:*:*:*:*:*:*

External links

https://forum.vestacp.com/viewtopic.php?f=10&t=16556&start=260#p68893

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.