Date of Disclosure: October 29, 2024
Date added to CISA KEV: November 7, 2024 (CVE-2024-51567)
Last week, we reported on CVE-2024-51378, a critical unauthenticated remote code execution (RCE) vulnerability in CyberPanel through the getresetstatus endpoint, which is actively being exploited by various ransomware gangs including the PSAUX operation.
At the time of publishing our previous advisory, we observed 60,935 exposed CyberPanel devices. This number has since decreased by approximately 4,000, with our current assessment identifying 55,425 exposed devices.
Two other critical CyberPanel vulnerabilities disclosed concurrently were CVE-2024-51567, added to CISA KEV yesterday and now also targeted by ransomware, and CVE-2024-51568.
CVE-2024-51378 and CVE-2024-51567 affect versions up to 2.3.6 and unpatched 2.3.7, while CVE-2024-51568 impacts versions 2.3.5 and earlier. All three vulnerabilities have the maximum CVSS severity score of 10.0 by MITRE and can lead to unauthenticated RCE, although they reside in different components of CyberPanel.
CVE-2024-51567 exploits the upgrademysqlstatus asset in databases/views.py before 5b08cd6, allowing remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX.
CVE-2024-51568 allows command injection via completePath in the ProcessUtilities.outputExecutioner() sink. A remote unauthenticated actor can send a specially crafted request to the /filemanager/upload (aka File Manager upload) endpoint to enable unauthenticated remote code execution via shell metacharacters.
CyberPanel is an open-source web hosting control panel built specifically to work with the LiteSpeed Web Server. CyberPanel is typically accessible over the public internet through a web based interface on TCP/8090 by default. Once installed on a server, users can log into CyberPanel by navigating to http://<server-ip>:8090. This interface is accessible globally, provided there are no network restrictions or firewall rules blocking the port.
Exposed CyberPanel Web Portal
| Field |
Details |
| CVE-ID |
CVE-2024-51567 – CVSS 10.0 (Critical) assigned by Mitre |
CVE-2024-51568 – CVSS 10.0 (Critical) assigned by Mitre |
| Vulnerability Description |
upgrademysqlstatus in databases/views.py in CyberPanel before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. |
CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters. |
| Date of Disclosure |
October 29, 2024 |
| Affected Assets |
upgrademysqlstatus endpoint in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6. |
completePath in the ProcessUtilities.outputExecutioner() sink and /filemanager/upload before |
| Vulnerable Software Versions |
Versions through 2.3.6 and (unpatched) 2.3.7 are affected. |
Before version 2.3.5 |
| PoC Available? |
A PoC for CVE-2024-51567 has been published, along with a technical write-up covering both vulnerabilities by security researcher DreyAnd, who discovered them. |
| Exploitation Status |
CVE-2024-51567 was added to CISA KEV on November 7, 2024. At the time of writing, this vulnerability is being targeted primarily by the PSAUX ransomware operation, along with two other ransomware variants. |
CVE-2024-51568 was not reported on CISA KEV or observed in GreyNoise at the time of writing. |
| Patch Status |
CyberPanel has released a comprehensive security patch that addresses both CVEs. You can find detailed information about the vulnerabilities and the corresponding fixes in their change logs. Additionally, this tool can be used to decrypt devices locked by PSAUX specifically. |
Censys Perspective
At the time of writing, Censys observed 55,425 exposed CyberPanel web portals online, with about 25% concentrated in the United States. Censys observed about 31% of the exposed instances to be associated with Digital Ocean (ASN 14061). Note that not all of these are necessarily vulnerable, as specific device versions are not available.
Map of exposed CyberPanel instances:
We charted trends in exposed CyberPanel instances over the past two weeks leading up to and following disclosure:
We observed a significant spike in observed CyberPanel instances the day before the vulnerabilities were disclosed, with ~1k devices. Following the disclosure, there was a sharp decline, with device counts decreasing by approximately 1-2k each day over the following days.
Per intel from LeakIX, there are currently 3 separate ransomware groups observed targeting vulnerable CyberPanel devices. The advisory published last week discusses these groups in more detail. They have been associated with the following respective file extensions:
.psaux -> Custom ransomware, script based
.encryp -> Variant from Babuk's source
.locked -> C3RB3R Conti v3-based Ransomware
There have also been observations of persistent cryptominers being installed on PSAUX-infected CyberPanel hosts post-exploitation.
If you administer a public-facing CyberPanel instance, it’s recommended to mitigate it immediately by either patching or restricting access from the public internet.
Censys Search Query:
services.software: (vendor="CyberPanel" and product="CyberPanel") and not labels: {tarpit, honeypot}
Censys ASM Query:
host.services.software.vendor="CyberPanel" AND host.services.software.product="CyberPanel"
LeakIX has published a decryption tool here that leverages an encryption weakness in PSAUX. Unfortunately there are no known workarounds for the other two ransomware groups at this time.
References
