Exploit
CVE-2024-51567

Incorrect Default Permissions (CWE-276)

Published: Oct 29, 2024 / Updated: 21d ago

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Summary

A vulnerability in the upgrademysqlstatus function in databases/views.py of CyberPanel (aka Cyber Panel) allows remote attackers to bypass authentication and execute arbitrary commands. This is achieved by exploiting the /dataBases/upgrademysqlstatus endpoint, bypassing secMiddleware (which only applies to POST requests), and using shell metacharacters in the statusfile property. The vulnerability affects versions through 2.3.6 and unpatched 2.3.7.

Impact

This vulnerability has severe implications. Attackers can remotely execute arbitrary commands without authentication, potentially leading to complete system compromise. The ability to bypass authentication and execute commands gives attackers full control over the affected system, allowing them to steal sensitive data, modify system configurations, or use the compromised system as a launching point for further attacks. The fact that it was exploited in the wild in October 2024 by a threat actor known as PSAUX indicates that it's an active threat. The vulnerability has a CVSS v3.1 base score of 9.8, indicating critical severity with high impact on confidentiality, integrity, and availability.

Exploitation

One proof-of-concept exploit is available on dreyand.rs. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including securityonline.info, nist.gov. Malware such as PSAUX (source:Talkback Resources) are known to have weaponized this vulnerability.

Patch

A patch is available. The vulnerability was fixed in commit 5b08cd6 of the CyberPanel repository. Users should upgrade to a version that includes this commit or later. Specifically, version 2.3.7 with the patch applied should be safe. It's crucial to verify that the installed version includes this specific fix.

Mitigation

1. Immediately update CyberPanel to a version that includes the 5b08cd6 commit or later. 2. If immediate updating is not possible, consider temporarily disabling the /dataBases/upgrademysqlstatus endpoint. 3. Implement network segmentation to limit access to the CyberPanel interface. 4. Monitor for suspicious activities, particularly any unexpected command executions. 5. Audit systems for any signs of compromise, especially if running vulnerable versions. 6. Implement strong authentication mechanisms and consider adding additional layers of security such as IP whitelisting for administrative access.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

Exploitation in the Wild

Attacks in the wild have been reported by inthewild.io.

Oct 29, 2024 at 11:15 PM / inthewild.io
CVE Assignment

NVD published the first details for CVE-2024-51567

Oct 29, 2024 at 11:15 PM
CVSS

A CVSS base score of 10 has been assigned.

Oct 29, 2024 at 11:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-51567. See article

Oct 29, 2024 at 11:22 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 29, 2024 at 11:22 PM
Exploitation in the Wild

Attacks in the wild have been reported by Vulnerability Archives • Cybersecurity News. See article

Threat Intelligence Report

CVE-2024-51567 is a critical remote code execution vulnerability in CyberPanel's upgrademysqlstatus function, allowing unauthenticated attackers to execute commands remotely by bypassing security middleware and exploiting shell metacharacters. This vulnerability is currently under active exploitation by threat actors deploying PSAUX ransomware, affecting CyberPanel versions 2.3.6 and 2.3.7. There is no information provided regarding CVSS scores, proof-of-concept exploits, mitigations, detections, patches, or downstream impacts on third-party vendors. See article

Oct 30, 2024 at 2:50 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (152345)

Oct 30, 2024 at 7:53 AM
Attribution of Exploits

The vulnerability is known to be exploited by PSAUX. See article

Oct 30, 2024 at 8:38 AM / Talkback Resources
Static CVE Timeline Graph

Affected Systems

Cyberpanel/cyberpanel
+null more

Exploits

https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce
+null more

Proof Of Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-51567
+null more

Patches

dreyand.rs
+null more

Links to Malware Families

PSAUX
+null more

Links to Mitre Att&cks

T1574.010: Services File Permissions Weakness
+null more

Attack Patterns

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
+null more

References

Over 22,000 CyberPanel Servers at Risk from Critical Vulnerabilities Exploitation by PSAUX Ransomware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware
Threat actor’s have been actively exploiting three Remote Code Execution (RCE) vulnerabilities in CyberPanel, a popular web hosting control panel. The affected CyberPanel versions include 2.3.6 and 2.3.7, enabling attackers to completely take over vulnerable systems.
Over 22,000 CyberPanel Servers at Risk from Critical Vulnerabilities Exploitation by PSAUX Ransomware
Over 22,000 CyberPanel Servers at Risk from Critical Vulnerabilities Exploitation by PSAUX Ransomware Threat actor’s have been actively exploiting three Remote Code Execution (RCE) vulnerabilities in CyberPanel, a popular web hosting control panel.
Over 22,000 CyberPanel Servers at Risk from Critical Vulnerabilities Exploitation by PSAUX Ransomware
Over 22,000 CyberPanel Servers at Risk from Critical Vulnerabilities Exploitation by PSAUX Ransomware Threat actor’s have been actively exploiting three Remote Code Execution (RCE) vulnerabilities in CyberPanel, a popular web hosting control panel.
See 2 more references

News

CISA adds two more vulnerabilities in Palo Alto Networks tools to exploited catalogue
The US Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities Catalogue with two newly identified vulnerabilities in Palo Alto Networks’ Expedition migration tool. Exploiting this flaw can expose sensitive information such as usernames, plaintext passwords, device configurations, and API keys associated with PAN-OS firewalls.
CISA: CISA Adds Four Known Exploited Vulnerabilities to Catalog
BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.
CyberPanel Incorrect Default Permissions Vulnerability (CVE-2024-51567)
Development Last Updated: 11/13/2024 CVEs: CVE-2024-51567
Weekly Detection Rule (YARA and Snort) Information – Week 1, November 2024
The following is the information on Yara and Snort rules (week 1, November 2024) collected and shared by the AhnLab TIP service. 0 YARA Rules 12 Snort Rules Detection name Source ET WEB_SPECIFIC_APPS PFsense Stored Cross-Site Scripting (CVE-2024-46538) https://rules.emergingthreatspro.com/open/ ET ATTACK_RESPONSE Observed ClickFix Powershell Delivery Page (Portuguese) https://rules.emergingthreatspro.com/open/ ET ATTACK_RESPONSE Observed ClickFix Powershell Delivery Page […] 게시물 Weekly Detection Rule (YARA and Snort) Information – Week 1, November 2024 이 ASEC 에 처음 등장했습니다.
Alleged Snowflake attacker gets busted by Canadians – politely, we assume
CVSS 9.8, CVE-2019-16278 – It’s not new, but Nostromo nhttpd up to version 1.9.6 contains a critical directory traversal vulnerability that’s being actively abused, though we know you’ve patched this by now. According to threat hunters at Google subsidiary Mandiant – which has tracked Moucka as UNC5537 and been part of the investigation into the breach – one of Moucka’s co-conspirators, John Binns, was reportedly arrested in Turkey earlier this year.
See 77 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI