Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


VestaCP hit with zeroday exploit [May 19 Security Update] - Page 9
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

VestaCP hit with zeroday exploit [May 19 Security Update]

1567911

Comments

  • v3ngv3ng Member, Patron Provider

    I would recommend to switch to a different panel or just use the Shell without a panel.

  • entrailzentrailz Member, Host Rep

    Been poking around for an hour or so to try and produce something workable from the /api/index.php endpoint and can't really get anywhere - so not entirely sure what the point of attack was.

  • @Radi said:
    So in the end, is it patched or not? I know about the 20 version, but I saw people are recommending to keep the Vesta's down for now. Are we sure the patch they released completely resolves the issue? More updates on this?

    Short answer:

    Version 20 secured the API endpoint.

    However no direct attack was seen, or logged. It was based upon a guess on that being the issue.

    Still suggested to keep the control panel off the internet currently.

  • @Radi said:
    So in the end, is it patched or not? I know about the 20 version, but I saw people are recommending to keep the Vesta's down for now. Are we sure the patch they released completely resolves the issue? More updates on this?

    Patched or not patched you will see above that Patrick located at least another 3 vulnerabilities that could lead to root compromise so you should keep VestaCP down until VestaCP patches them.

  • @SecNinja said:
    Sent off 6 security vulnerabilities to [email protected] with 3 of those leading to a easy root compromise. The other 3 are still very serious flaws, password / hash disclosures, etc.

    I'll send off more once they fix those.

    Thanks for taking the time to dig through the panel. Keep us posted if you hear anything back.

    Unfortunately haven't seen any security-related commits on the VestaCP Github since you commented here... https://github.com/serghey-rodin/vesta/commits/master

  • DewlanceVPSDewlanceVPS Member, Patron Provider

    Smell of conspiracy by commercial competitors against VestCP.

  • @Radi said:
    So in the end, is it patched or not? I know about the 20 version, but I saw people are recommending to keep the Vesta's down for now. Are we sure the patch they released completely resolves the issue? More updates on this?

    Freed up some time to take a closer look, definitely don't use it for the time being. E.g. it seems they forgot that their change password functionality is just as vulnerable as their login functionality once was. Though this can only be exploited once logged in, in a shared hosting environment, this is still extremely bad and easy root access.

  • ClouviderClouvider Member, Patron Provider
    edited April 2018

    @DewlanceVPS said:
    Smell of conspiracy by commercial competitors against VestCP.

    No one smells it except you though and we're on page 5 already.

    Thanked by 3Aidan MasonR FHR
  • @DewlanceVPS said:
    Smell of conspiracy by commercial competitors against VestCP.

    What is fucking wrong with you? Grow up...

    Thanked by 2MasonR Clouvider
  • HBAndreiHBAndrei Member, Top Host, Host Rep

    @DewlanceVPS said:
    Smell of conspiracy by commercial competitors against VestCP.

    Ah yes, how were we so blind as not to see the truth that was right in front of us? It's all so clear now... cPanel and Plesk, in the brink of bankrupcy due to a lack of clients, have formed a coalition to take down the giant that is VestaCP. Wake the hell up people! #resist

  • DewlanceVPSDewlanceVPS Member, Patron Provider

    @HBAndrei said:

    @DewlanceVPS said:
    Smell of conspiracy by commercial competitors against VestCP.

    Ah yes, how were we so blind as not to see the truth that was right in front of us? It's all so clear now... cPanel and Plesk, in the brink of bankrupcy due to a lack of clients, have formed a coalition to take down the giant that is VestaCP. Wake the hell up people! #resist

    I did not say anything for cPanel or Plesk. Don't use auto assumption™.

  • NeoonNeoon Community Contributor, Veteran

    Well, the patch was just a guess.

    As long they did not found the cause, keep it offline.

    The attacker won't be that stupid, they wait a while and go again on the hunt.

  • joepie91joepie91 Member, Patron Provider

    @solaire said:

    @Radi said:
    So in the end, is it patched or not? I know about the 20 version, but I saw people are recommending to keep the Vesta's down for now. Are we sure the patch they released completely resolves the issue? More updates on this?

    Freed up some time to take a closer look, definitely don't use it for the time being. E.g. it seems they forgot that their change password functionality is just as vulnerable as their login functionality once was. Though this can only be exploited once logged in, in a shared hosting environment, this is still extremely bad and easy root access.

    This sounds like reactive security - just patching problems that have been found when they're found, and never reevaluating the approach that led to those problems in the first place, nor reviewing other code proactively.

    I'd recommend staying away from anything that has that policy, open-source or otherwise. It's just going to be an endless fountain of security issues. No matter how many of them get fixed, new ones will be introduced faster than the old ones can get found and patched.

    (This applies more broadly to any software where the same kind of issues are repeatedly found.)

  • DewlanceVPS said: Don't use auto assumption™.

    Isn't AutoBoot powered by that?

  • entrailzentrailz Member, Host Rep

    Honestly I cannot find a point of attack in the API endpoint, yes, it was passing unfiltered input to a shell script, but it was loaded via a file and not directly passed, so I'm really not sure that was the point of attack.

  • @joepie91 said:
    It's just going to be an endless fountain of security issues. No matter how many of them get fixed, new ones will be introduced faster than the old ones can get found and patched.

    OT: Sounds a lot like the Orange West Wing.

  • mehargagsmehargags Member
    edited April 2018

    @SecNinja said:
    Sent off 6 security vulnerabilities to [email protected] with 3 of those leading to a easy root compromise. The other 3 are still very serious flaws, password / hash disclosures, etc.

    I'll send off more once they fix those.

    Anyone suggesting / contributing to security or bugs should kindly send mail to [email protected]. It is mailing list for core developers. That way, at least, they will get email and will patch flaws ASAP.
    So please send them to

    [email protected]

  • @SecNinja said:
    Sent off 6 security vulnerabilities to [email protected] with 3 of those leading to a easy root compromise. The other 3 are still very serious flaws, password / hash disclosures, etc.

    I'll send off more once they fix those.

    Have you gotten any response from the dev team as confirmation that they have seen your email?

  • @mehargags confirmed to me awhile back that they did receive it.

  • Is it safe to use VestaCP now?

  • ClouviderClouvider Member, Patron Provider

    @andrew1995 said:
    Is it safe to use VestaCP now?

    Giving the attitude to implementing security patches i’d avoid It.

    Thanked by 2andrew1995 Falzo
  • LeviLevi Member

    Sad, just sad... VestaCP like zPanel.

  • davidavi Member

    I have changed 8083 port and updated.

  • nepsneps Member

    andrew1995 said: Is it safe to use VestaCP now?

    Probably just as safe as it was a month ago.

    Thanked by 2Falzo PremiumN
  • AlyssaDAlyssaD Member
    edited April 2018

    @andrew1995 said:
    Is it safe to use VestaCP now?

    Setup the admin port to only respond to localhost, and use ssh tunnels to connect to it. Or do a proxy, and block all other IPs from accessing.

    Currently there is word of at least 3 root level compromises in it. Not patched yet.

    Thanked by 1andrew1995
  • @AlyssaD said:

    @andrew1995 said:
    Is it safe to use VestaCP now?

    Setup the admin port to only respond to localhost, and use ssh tunnels to connect to it. Or do a proxy, and block all other IPs from accessing.

    Currently there is word of at least 3 root level compromises in it. Not patched yet.

    Thanks for that piece of advice I will possibly try that when have time, that would be an opportunity for me to learn new things. I don't use vestaCP and I am supposed to try it, but then the exploit happened.

  • @AlyssaD said:

    @andrew1995 said:
    Is it safe to use VestaCP now?

    Setup the admin port to only respond to localhost, and use ssh tunnels to connect to it. Or do a proxy, and block all other IPs from accessing.

    Currently there is word of at least 3 root level compromises in it. Not patched yet.

    Thanks. I set up a proxy a while ago as well just to be safe. Surprised they haven't fixed things by now.

  • MrRobMrRob Member

    Hello to my website at times it causes the 502 bad gateway nginx, can this attack be causing my website?

  • LeviLevi Member

    @MrRob said:
    Hello to my website at times it causes the 502 bad gateway nginx, can this attack be causing my website?

    No. Why do you think so?

  • AlyssaDAlyssaD Member
    edited May 2018

    I know... I am bumping a thread... However, the update is live.

    dpkg -l | grep vesta
    ii  vesta                             0.9.8-21                       amd64        Vesta
    ii  vesta-ioncube                     0.9.8-21                       amd64        ionCube Loader for Vesta
    ii  vesta-nginx                       0.9.8-21                       amd64        Vesta Nginx
    ii  vesta-php                         0.9.8-21                       amd64        Vesta php-fpm
    ii  vesta-softaculous                 0.9.8-21                       amd64        softaculous plugin for Vesta
    

    Thanked by 1Harambe
Sign In or Register to comment.