CloudPanel, a self-hosted web administration solution, has been found to have several security vulnerabilities by Rapid7 researcher Tod Beardsley.
The flaws include using the same SSL certificate private key across all installations and overwriting firewall rules to default to weaker settings. At the time of writing, two issues remained unfixed, while the software developer addressed a third security problem concerning the installation script.
The first issue concerns the trustworthiness of the “curl to bash” installation procedure as it downloaded code without an integrity check, which the vendor promptly addressed by publishing a cryptographically secure checksum of the installation script. The second problem is that the CloudPanel installation script will reset a server’s pre-existing Uncomplicated Firewall (ufw) rules and introduce a far more permissive ruleset.
Additionally, the superuser administrator account for CloudPanel after its installation is left blank, allowing attackers to set their own passwords and gain control over the system.
Using the Shodan internet scanning tool, Rapid7 found 5,843 CloudPanel servers using the default certificate, most based in the United States and Germany. “
By chaining together the firewall permissiveness and the reused certificate issues together, an attacker can target and exploit new CloudPanel instances as they are being deployed,” explained Beardsley.
CloudPanel is promoted as an easy-to-use administration solution for self-hosted Linux servers on the websites of cloud service providers like AWS, Azure, GCP, and Digital Ocean.
As there are no fixes for the firewall and SSL certificate problems, users are advised to immediately reconfigure their firewall rules after installing CloudPanel, and generate and install their own SSL certificate. The vulnerabilities could allow threat actors to snoop on encrypted HTTPS traffic to CloudPanel servers, posing a significant risk to sensitive data.
The flaws could also compromise the trustworthiness of the self-hosting trend, which is enjoying a burst of popularity fueled by the rising values of privacy and data control, customization, and cost savings.
