CyberPanel Vulnerabilities: A Deep Dive into RCE Threats and PSAUX Ransomware

In the ever-evolving landscape of cybersecurity, vulnerabilities in widely-used software can lead to catastrophic consequences. Recently, threat actors have been actively exploiting three critical Remote Code Execution (RCE) vulnerabilities in CyberPanel, a popular web hosting control panel. Identified as CVE-2024-51567, CVE-2024-51568, and CVE-2024-51378, these vulnerabilities allow attackers to gain unauthorized root access and deploy PSAUX ransomware, posing a significant risk to users of CyberPanel versions 2.3.6 and 2.3.7.

What Are the Vulnerabilities in CyberPanel?

Cybersecurity researchers DreyAnd and Luka Petrovic uncovered multiple zero-day vulnerabilities in CyberPanel, each carrying a maximum Common Vulnerability Scoring System (CVSS) score of 10, indicating severe risk. Here’s a closer look at each vulnerability:

CVE-2024-51567

This vulnerability exists in the upgrademysqlstatus function within databases/views.py. Attackers can bypass security middleware by using shell metacharacters in the statusfile property, leading to remote command execution. This flaw is particularly concerning as it allows attackers to execute arbitrary commands on the server.

CVE-2024-51568

The second vulnerability involves command injection in the ProcessUtilities.outputExecutioner() function, specifically through the completePath parameter. This flaw allows for file uploads and remote code execution without authentication, making it a prime target for attackers looking to exploit vulnerable systems.

CVE-2024-51378

The third vulnerability affects the getresetstatus function within dns/views.py and ftp/views.py. Similar to the previous vulnerabilities, it enables attackers to execute commands remotely by bypassing middleware, further compromising the security of affected systems.

These vulnerabilities collectively create a dangerous attack surface for CyberPanel users, emphasizing the need for immediate action to mitigate risks.

How Extensive is the Threat?

The threat landscape is alarming, with findings from LeakIX revealing that over 21,761 CyberPanel servers are exposed globally. The geographical distribution of these servers indicates a concentration in the United States (10,170), followed by Germany (3,346) and Singapore (1,856). This distribution suggests that attackers may focus their efforts on servers located in these regions, increasing the risk of widespread exploitation.

With the majority of exposed CyberPanel instances in the U.S., these servers represent a potential vulnerability hotspot, making it imperative for administrators to take swift action to secure their systems.

How Did PSAUX Exploit CyberPanel?

The PSAUX ransomware campaign, active since June 2024, has specifically targeted exposed web servers through known vulnerabilities and configuration weaknesses. Once PSAUX ransomware infects a server, it executes a series of malicious actions:

1. File Encryption: The ransomware generates a unique AES key and Initialization Vector (IV) to encrypt server files, rendering them inaccessible to the user.
2. Ransom Note Deployment: It drops ransom notes named index.html in every directory and copies them to /etc/motd, ensuring that the ransom note is displayed upon login.
3. RSA Key Protection: The AES key and IV are further encrypted with an embedded RSA key, saved as /var/key.enc and /var/iv.enc.

Attackers have utilized scripts like ak47.py to exploit the vulnerabilities in CyberPanel and actually.sh to handle file encryption, demonstrating the sophisticated methods employed in these attacks.

How Are Researchers Responding with PSAUX Decryption Tools?

In response to the widespread PSAUX ransomware attacks, researchers from LeakIX and Chocapikk have developed and released a decryption tool. This tool exploits a weakness in the ransomware’s encryption routine, potentially allowing victims to recover their files without paying the ransom. However, caution is advised, as the decryption process relies on the specific encryption keys used by the attackers. Using the wrong key could corrupt the data, so users are encouraged to back up their files before attempting to use the tool.

How Did CyberPanel Respond?

Upon receiving the vulnerability report, CyberPanel’s development team acted swiftly, reviewing the issue and deploying a security patch within 30 minutes. Although researchers suggested a public disclosure, CyberPanel initially withheld the announcement to allow users time to update their systems. Unfortunately, details about the flaw were prematurely leaked by a third-party source, leading to heightened user concerns.

The patch has since been rolled out as part of a routine update on GitHub. However, CyberPanel has not yet provided full details about the flaw to prevent further risk to unpatched servers. They have issued specific recommendations for users:

• For Users with SSH Access: Apply the patch using CyberPanel’s update guide to effectively mitigate the vulnerability.
• For Users without SSH Access: If SSH access is restricted due to server overload from attack attempts, users should contact their hosting providers to request a temporary lifting of IP blocks or enable port 22 for the update.

CyberPanel urges users to update their installations as soon as possible to safeguard against potential attacks, confirming that additional information about the vulnerability will be shared once the majority of users have applied the patch.

Get Ahead with SOCRadar’s Vulnerability Intelligence

As new vulnerabilities emerge daily, taking proactive steps is crucial to secure your organization’s digital landscape. SOCRadar’s Vulnerability Intelligence equips you with the tools needed to anticipate potential threats. It helps identify and prioritize critical vulnerabilities, providing real-time alerts and actionable insights to address risks before attackers can exploit them.

With SOCRadar, organizations can ensure that their efforts are directed toward the most pressing vulnerabilities, enabling quicker patching and maintaining strong security. By staying informed and prepared, organizations can shield themselves from the latest cyber threats and protect their digital assets.

In conclusion, the recent vulnerabilities in CyberPanel highlight the critical need for vigilance in cybersecurity. As threat actors continue to exploit weaknesses in software, it is essential for users to stay informed, apply patches promptly, and utilize tools that enhance their security posture.