Date of Disclosure: October 29, 2024
CVE-2024-51378 is a command injection vulnerability in CyberPanel that was assigned the maximum CVSS score of 10.0 by MITRE. It’s been observed being exploited in the wild to deploy 3 types of ransomware thus far: PSAUX, C3RB3R, and a Babuk variant. The vulnerability allows remote attackers to bypass authentication and execute arbitrary commands by circumventing security middleware (which is only used for a POST request) and using shell metacharacters in the statusfile property.
CyberPanel is an open-source web hosting control panel built specifically to work with the LiteSpeed Web Server. CyberPanel can be installed on popular Linux distributions, most commonly CentOS, Ubuntu, and AlmaLinux. Organizations typically use CyberPanel for web hosting management, email management, database management, WordPress hosting, and SSL certificate management.
CyberPanel is typically accessible over the public internet through a web based interface on TCP/8090 by default. Once installed on a server, users can log into CyberPanel by navigating to http://<server-ip>:8090. This interface is accessible globally, provided there are no network restrictions or firewall rules blocking the port. It is recommended that administrators restrict access to the panel by whitelisting specific IP addresses, using VPNs, or disabling public access if they want to manage it within a secure internal network. See below for an example of an exposed CyberPanel web interface:
Field |
Details |
CVE-ID |
CVE-2024-51378 – CVSS 10.0 (Critical) assigned by Mitre |
Vulnerability Description |
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected. |
Date of Disclosure |
October 29, 2024 |
Affected Assets |
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb. |
Vulnerable Software Versions |
Versions through 2.3.6 and (unpatched) 2.3.7 are affected. |
PoC Available? |
Yes, this security post details how the vulnerability can be exploited, and the proof-of-concept (PoC) code is published here. |
Exploitation Status |
At the time of writing, this vulnerability is being targeted primarily by the PSAUX ransomware operation, along with two other ransomware variants. It’s currently not in CISA KEV. |
Patch Status |
The patched commit is available here. Additionally, this tool can be used to decrypt devices locked by PSAUX specifically. |
Censys Perspective
At the time of writing, Censys observed 60,935 exposed CyberPanel web portals online, with about 26% concentrated in the United States. Censys observed about 29% of the exposed instances to be associated with Digital Ocean (ASN 14061). Note that not all of these are necessarily vulnerable, as specific device versions are not available.
Map of exposed CyberPanel instances:
We charted trends in exposed CyberPanel instances over the past week leading up to and following disclosure:
We observed a significant spike in observed CyberPanel instances the day before the vulnerability disclosure, with ~1k devices. Following the disclosure, there was a sharp decline, with device counts decreasing by approximately 2k each day over the following days.
Per intel from LeakIX, there are currently 3 separate ransomware groups observed targeting vulnerable CyberPanel devices. They have been associated with the following respective file extensions:
.psaux -> Custom ransomware, script based
.encryp -> Variant from Babuk's source
.locked -> C3RB3R Conti v3-based Ransomware
Under certain circumstances, the ransomware note is visible on a compromised host in Censys via an exposed open directory presenting on a different port:
A compromised CyberPanel host exposing an open directory with a ransomware note. The .LOCK3D file extension indicates that this is encrypted with C3RB3R
Censys Search Query:
services.software: (vendor="CyberPanel" and product="CyberPanel") and not labels: {tarpit, honeypot}
Censys ASM Query:
host.services.software.vendor="CyberPanel" AND host.services.software.product="CyberPanel"
LeakIX has published a decryption tool here that leverages an encryption weakness in PSAUX. Unfortunately there are currently no known workarounds for the other two ransomware groups at this time.
References