Greenhost
Control Panel
  • Home
  •   »  
  • Urgent Security Alert: CyberPanel Servers v2.3.6 Compromised by Pre-Auth RCE Zero-Day Vulnerability on October 28, 2024
October 30, 2024
CyberPanel

Important Security Updates for CyberPanel: What You Need to Know

Introduction

On October 28, 2024, CyberPanel posted a significant security update announcement on their Facebook page. They stated:

“Hello everyone! We’ve recently made some important security updates which you can read in our blog. It is highly recommended to upgrade CyberPanel as soon as possible.”

However, there was no accompanying blog post with further details. Shortly after, another announcement followed regarding a critical security vulnerability.

What Happened?

A root Remote Code Execution (RCE) bug exists within CyberPanel, which was disclosed by security researcher DreyAnd (@dreyand_ on Twitter). The full disclosure can be found on their blog:

A few months ago, I was tasked with performing a penetration test on a target running CyberPanel. I found that it was commonly installed by default by several VPS providers and was even sponsored by Freshworks. Initially, I struggled to exploit the target due to limited functionalities, so I decided to search for a zero-day vulnerability.

This led to the discovery of a 0-click pre-auth root RCE on the latest version (2.3.6 as of now), which remains unpatched. While the maintainers have been notified and a patch has been developed, it is still awaiting a Common Vulnerabilities and Exposures (CVE) identifier and a main release. You can view the patch commit here.

What Are Your Options? CyberPanel v2.3.6 Pre-auth RCE

Given the vulnerability, many users are left wondering why their servers might have been compromised and why CyberPanel has not made a formal announcement. CyberPanel was informed of the vulnerability and the proof of concept (PoC), which was released by the researcher on October 27, 2024, after confirmation from the CyberPanel team.

Although a commit was made to patch the RCE on October 23, 2024, no official release has been communicated.

Searching for Vulnerable CyberPanel Instances

Finding CyberPanel instances exposed to the internet is relatively straightforward using Fofa, a search engine designed for mapping cyberspace. You can search specifically for CyberPanel instances by using the following query:

app="CyberPanel"

Don’t Clean Up Your Infected Server—Restore from Backups

If you suspect your server has been compromised, do not attempt to clean it up. Instead, restore from backups and consider using a different control panel for the time being. If your sites involve sensitive data, such as Stripe keys, make sure to regenerate those keys.

Cleaning Up Infected Servers

If you still prefer to clean your server, here are some details to help you with the process:

Kinsing Malware

Many infections appear to be automated, utilizing Kinsing malware, which targets Linux-based cloud infrastructures.

For more information on Kinsing malware, visit Tenable’s research.

CyberPanel Community Forum Infection Clean-up Post

For those looking for community support, the CyberPanel Community Forum has threads detailing cleaning procedures and vulnerability assessments.

Restoring SSH Access

If you’re using Proxmox and cloud-init, you can enable password settings for better control over your instance.

Kinsing Malware Clean-Up Shell Script

A shell script is available to help automate the cleanup process. You can find it here.

Manual Clean-Up Steps

If you prefer manual cleanup, here’s a concise guide:

  1. Disable Cron Jobs: Stop the cron service to prevent reinfection.
   systemctl stop cron
  1. Delete Malware Files: Remove known malware files.
  2. Remove Suspicious Services: Delete any suspicious services that may be running.
  3. Kill Suspicious Processes: Find and kill any processes related to Kinsing.
  4. Unload Pre-loaded Libraries: Remove any unwanted libraries from the preload list.
  5. Delete Suspicious Cron Jobs: Check and clean up any unwanted entries in crontab.

Additional Steps

  • Install tools like chkrootkit and rkhunter for further system scanning.
  • Upgrade CyberPanel after resolving the infection.

Upgrade CyberPanel

Ensure that you upgrade CyberPanel to the latest version using the following command:

sh <(curl https://raw.githubusercontent.com/usmannasir/cyberpanel/stable/preUpgrade.sh || wget -O - https://raw.githubusercontent.com/usmannasir/cyberpanel/stable/preUpgrade.sh)

Change Log

  • 10-29-2024: Added section for Kinsing shell script.
  • 10-29-2024: Added Proxmox section for restoring SSH access via cloud-init.

Stay vigilant and proactive about your server’s security. Regular updates and monitoring can help mitigate risks associated with vulnerabilities like these.

CyberPanel
cybersecurity
Incident Response
Pre-Auth RCE
Remote Code Execution
Security Update
Urgent Security Alert
v2.3.6
Vulnerability Disclosure
Zero-Day Vulnerability
OVH
Joker
Hetzner
AlibabaCloud
Greenhost Logo

Copyright 2023 Greenhost.cloud
All Rights Reserved.

Our Services

About Us

Legal

Contact Us

Customers' reviews on Hostings.info
Facebook-f Twitter Instagram Youtube
Greenhost Footer