Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


VestaCP hit with zeroday exploit [May 19 Security Update] - Page 8
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

VestaCP hit with zeroday exploit [May 19 Security Update]

15681011

Comments

  • @SecNinja said:
    Wow, VestaCP is so bad. I mean, so, so, so bad.

    I have already found several root level exploits in LITERALLY less than 15 minutes and I'm typing with one hand while I eat with the other lol.

    I'm making a list of everything, I'll send off to their developers at some point...

    I'll parrot what I said to you at wht: If you are on the job, the developers will end up quitting with severe depression.

    Thanked by 1MikePT
  • nepsneps Member

    CrossBox said: @psycholyzern said: Someone said to me, "The best control panel is no control panel".

    Amen.

    Even though you don't use a control panel, you still use at least 10 services like exim, dovecot, nginx, etc... and even more libraries. A critical bug in any of these will also make you as vulnerable as any other control panel.

    Control panels just make more room for exploits, especially open sourced ones.

    Yeah, exactly, so as I said, the best control panel is no control panel. When the day comes that a bare linux install is enough to power my sites, that's what I'll use. The fewer moving parts, the better.

    Thanked by 1CrossBox
  • solairesolaire Member
    edited April 2018

    I took the effort of migrating over to ISPConfig. I have to admit, UI wise, VestaCP is far more superior to ISPConfig, but functionality wise, it's the other way around. ISPConfig is really flexible and Let's encrypt integration works flawlessly. And as I'm pretty much the only one using the panel anyway, it's all good.

    Any news of VestaCP still being exploited after the patch?

  • @AlyssaD said:
    I really don't want to move to an enitrely different control panel, but I like the ease of Let's Encrypt setup.

    Is there any good suggestions on an open source web panel with good lets encrypt support, or a paid one that is reasonable cost.

    I have gotten a bit lazier, as I used to just run bare bones.

    ISPconfig all the way! For fast support subscribe to HowToForge for 25€/6months but you will be helped either way :)

  • ClouviderClouvider Member, Patron Provider

    It like ISP Config didn’t had its own issues.

    Metasploit has at lest a couple exploits against ISP Config.

    Thanked by 1Shazan
  • @deank said:
    What we need is L(ow)E(nd) panel, an open source control panel by LET.

    You mean Centminmod?

    http://centminmod.com/

  • @sureiam said:

    @deank said:
    What we need is L(ow)E(nd) panel, an open source control panel by LET.

    You mean Centminmod?

    http://centminmod.com/

    Now we just need a Debian or Ubuntu version :P

    EasyEngine isn't too bad either, but limited on the config, and I'm not sure how well their mail stuff works.

  • solairesolaire Member
    edited April 2018

    @Clouvider said:
    It like ISP Config didn’t had its own issues.

    Metasploit has at lest a couple exploits against ISP Config.

    It's really not about having issues, it's more about how a company / project / individual goes around fixing them.

    Vesta didn't escape the password that was entered on the VestaCP page. They then published a hotfix, that "might" solve the exploit that was out in the wild. I understand they didn't have logging enabled, but that's a misser to begin with.

    Thanked by 2FHR v3ng
  • @Mridul said:

    Thank you so much for your input.

    Based on your experience. Which panel would your prefer ( other than cpanel / plesk )
    I understand that having no panel at all is the better option.

    Webmin (Usermin / Virtualmin) if you absolutely must use a free panel.

    I still think Plesk and cPanel have the best security simply because they pay top dollar to security researchers to find flaws, so there's a huge incentive to put a lot of time into finding them.

  • HxxxHxxx Member

    ^ this man knows what's up. Thanks for sharing your wisdom with us, the plebs, @SecNinja

  • It's really not about having issues, it's more about how a company / project / individual goes around fixing them.

    Vesta didn't escape the password that was entered on the VestaCP page. They then published a hotfix, that "might" solve the exploit that was out in the wild. I understand they didn't have logging enabled, but that's a misser to begin with.

    Not really defending VestaCP code, but regarding the fix, they did what they believed was the right thing. They changed the auth hash and enabled logging. Sure other things will follow. But, isn't "might solve", better than "we did nothing". They should obviously improve communication, and ask for help from security pro's willing to give the entire code a once over. (make suggestions if you can help).

    Hopefully, the project will come out significantly better.

    The UI is the best on the block for me. I can get done 95% of what I want to accomplish with great efficiency. Can't say that with other FOSS alternatives I've tried.

    Thanked by 2MasonR mehargags
  • MasonRMasonR Community Contributor

    @Mark_O_Polo said: But, isn't "might solve", better than "we did nothing".

    No doubt! The only thing that I can critique is their "It's bullet proof now!" statement after the patch was released. Kinda shows the naivety of their security practices.

    But with rack911 on the case, any suggestions they throw their way should harden the code up quite a bit. That is, if they actually address the issues that are brought up by Patrick and Steven in a timely manner.

    Thanked by 1Mridul
  • @Harzem said:
    I'll parrot what I said to you at wht: If you are on the job, the developers will end up quitting with severe depression.

    Lol. I hope to send off a report today. It's so bad.

    I sure hope no one has untrusted users on their VestaCP boxes.

    Thanked by 4Aidan Hxxx Mridul eva2000
  • HxxxHxxx Member

    @SecNinja , are the security notices still being sent from hostingseclist? It's been a while since I receive those.

  • @SecNinja said:

    @Harzem said:
    I'll parrot what I said to you at wht: If you are on the job, the developers will end up quitting with severe depression.

    Lol. I hope to send off a report today. It's so bad.

    I sure hope no one has untrusted users on their VestaCP boxes.

    Is it because they are using (==) instead of (===) everywhere. I noticed that in the API.

  • @AlyssaD said:
    Is it because they are using (==) instead of (===) everywhere. I noticed that in the API.

    I haven't even looked at the API, I'm still going over the common user functions. Some of the exploits are so funny. Once they are patched I'll share a couple just for lol sake.

    Thanked by 1AlyssaD
  • @SecNinja said:
    Lol. I hope to send off a report today. It's so bad.

    Curious on the process, do you give them a set amount of time to release fixes and if they do nothing (or something inadequate) then make your report public?

  • @Mark_O_Polo said:

    @SecNinja said:
    Lol. I hope to send off a report today. It's so bad.

    Curious on the process, do you give them a set amount of time to release fixes and if they do nothing (or something inadequate) then make your report public?

    We probably won't even publish anything official, it's not really worth my time.

    As for disclosing a Proof of Concept for lol sake, I'll do it after I think people have had enough time to patch.

  • cociucociu Member

    2 of my clients got suspended due of traffic limit , all with vesta installed. The traffic for the entirely month alocated was consumed in less than 3 days :)

  • @cociu said:
    2 of my clients got suspended due of traffic limit , all with vesta installed. The traffic for the entirely month alocated was consumed in less than 3 days :)

    Any IP blocks?

  • FHRFHR Member, Host Rep

    @Mark_O_Polo said:

    Not really defending VestaCP code, but regarding the fix, they did what they believed was the right thing. They changed the auth hash and enabled logging. Sure other things will follow. But, isn't "might solve", better than "we did nothing". They should obviously improve communication, and ask for help from security pro's willing to give the entire code a once over. (make suggestions if you can help).

    Just so we are clear, their fix only consists of API changes and does this:

    Grab the salt for user "admin" from (/)etc(/)shadow, encrypt whatever arrived from the internet using this salt, save the resulting hash as a file in (/)tmp, pass resulting filepath to a shell script.
    This shell script loads the hash from the (/)tmp file and authenticates using grep:
    grep "^$user:$hash:" (/)etc(/)shadow
    If a matching line is found, API access granted.

    So PHP has passwordless sudo access and is able to directly read (/)etc(/)shadow.

    (/) = / - Bypass for stupid CloudFlare protection

  • MasonRMasonR Community Contributor

    @cociu said:
    2 of my clients got suspended due of traffic limit , all with vesta installed. The traffic for the entirely month alocated was consumed in less than 3 days :)

    So you're saying that two of your clients were sending DoS attacks for three days straight before they were suspended? And they were suspended for using up all their bandwidth and not for network abuse?

    Premium.

  • SecNinjaSecNinja Member
    edited April 2018

    Sent off 6 security vulnerabilities to [email protected] with 3 of those leading to a easy root compromise. The other 3 are still very serious flaws, password / hash disclosures, etc.

    I'll send off more once they fix those.

  • What I'm reading here is that people using VestaCP for public access are boned. Those using it for personal use should just close off the ports and tunnel access to the panel via SSH or VPN. Additionally you could also turn it off when not in use, probably a good idea anyway as it saves resources.

    Thanked by 1Mridul
  • HxxxHxxx Member

    Guys let me translate.
    Don't use vestaCP.
    Read what @SecNinja said. "Easy" "Root" "Compromise" "3ways"

  • LeviLevi Member

    Hxxx said: "3ways"

    This. What the hell it is?

    Thanked by 1Hxxx
  • @LTniger said:

    Hxxx said: "3ways"

    This. What the hell it is?

    Ménage a trois?

    Usually have to pay extra for that kind of action.

  • MasonRMasonR Community Contributor

    Going to drop this thread from our announcements, as I think it's been up there for sufficient time for hosts and users to secure their VestaCP installs. @Harambe and others, feel free to continue discussions as updates are made on this issue.

    Thanked by 2mehargags Harambe
  • RadiRadi Host Rep, Veteran

    So in the end, is it patched or not? I know about the 20 version, but I saw people are recommending to keep the Vesta's down for now. Are we sure the patch they released completely resolves the issue? More updates on this?

  • @Radi said:
    So in the end, is it patched or not? I know about the 20 version, but I saw people are recommending to keep the Vesta's down for now. Are we sure the patch they released completely resolves the issue? More updates on this?

    Short answer, we don't know and neither do their developers.

Sign In or Register to comment.