CVE-2021-46850: myVesta and Vesta Control Panel Command Injection Advisory
CVE-2021-46850 is a critical issue that targets the myVesta Control Panel before .9.8-26-43 and Vesta Control Panel before .9.8-26. This critical advisory affects these web hosting control panels with an authenticated remote administrative user potentially gaining the ability to execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests. The exploit is executed through the /edit/server endpoint, which then compromises the security of the system.
This blog post will dive into the details of CVE-2021-46850, dissect the vulnerable code snippet, provide links to original references, and showcase the exploit details. The goal is to help the community understand the severity of this issue and take proper actions to remediate and prevent it.
I. Background
myVesta Control Panel (https://myvestacp.com/) and Vesta Control Panel (https://vestacp.com/) are popular web hosting control panels that allow users to manage their servers through a web interface easily. Unfortunately, these control panels have a serious security vulnerability, as detailed in the following link:
- CVE-2021-46850 (https://cve.mitre.org/cgi-bin/cvekey.cgi?cve=CVE-2021-46850)
II. Code Snippet Explanation
A code snippet from the affected file "/usr/local/vesta/bin/v-add-letsencrypt-host" shows the vulnerability:
#!/bin/bash
# Importing the environment variables
source /etc/profile
# Sanitizing the input
v_sftp_license="$(cut -d ' ' <<< "$1" -f 1)"
In this code snippet, we can see that the v_sftp_license variable is set using the $1 input parameter, but without proper sanitization. The cut command merely trims the spaces, which is insufficient since the parameter can still be manipulated to include unexpected characters and payloads that could lead to command injection.
III. Exploit Details
To exploit this vulnerability, an attacker would need to have administrator access to the control panel. Once logged in as an administrator, the attacker sends a malicious HTTP POST request to the /edit/server endpoint, with the v_sftp_license parameter containing arbitrary commands. Since the input is not adequately sanitized, the attacker's payload is successfully executed on the server.
Here is a proof-of-concept (PoC) HTTP POST request using the widely-used curl command
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "v_sftp_license=LICENSE_KEY;$([Exploit_Command])" "https://target.example.com/edit/server";
*Replace [Exploit_Command] with an arbitrary command intended for execution.
IV. Remediation and Prevention
To remediate and prevent this vulnerability, users should update their myVesta Control Panel and Vesta Control Panel to the latest versions (.9.8-26-43 and .9.8-26, respectively). These versions have already addressed the command injection issue related to the v_sftp_license parameter.
Follow the official update instructions for myVesta Control Panel (https://myvestacp.com/news.php?q=19) and Vesta Control Panel (https://forum.vestacp.com/viewtopic.php?t=19811).
Conclusion
CVE-2021-46850 is a critical security issue that affects the myVesta Control Panel and Vesta Control Panel. By understanding the nature of the vulnerability, web hosting administrators can take the necessary steps to update and secure their environment, protecting their servers from potential exploitation. Stay vigilant and proactive in maintaining your control panel to ensure the continued security of your web hosting services.
Timeline
Published on: 10/24/2022 14:15:00 UTC
Last modified on: 10/25/2022 14:43:00 UTC