Self-hosted web administration solution CloudPanel was found to have several security issues, including using the same SSL certificate private key across all installations and unintentional overwriting of firewall rules to default to weaker settings.
The vulnerabilities were discovered by Rapid7 researcher Tod Beardsley in November 2022, who reported them to the software vendor MGT-COMMERCE.
At the time of writing, the two issues mentioned above remained unfixed, while the software developer addressed a third security problem concerning the installation script.
Flaws on CloudPanel
The first issue concerns the trustworthiness “curl to bash” installation procedure as it downloaded code without an integrity check, which the vendor promptly addressed by publishing a cryptographically secure checksum of the installation script.
The second problem is that the will reset a server’s pre-existing Uncomplicated Firewall (ufw) rules and introduce a far more permissive ruleset.
This means that if an admin configured their server’s firewall only to allow specific IP addresses to access ports on a server, after installation of CloudPanel, these rules will have been replaced by the more permissive ruleset below.
Additionally, the superuser administrator account for CloudPanel after its installation is left blank, allowing knowledgeable and fast-acting attackers to set their own passwords and gain control over the system.
Attackers would need to find fresh CloudPanel installations to exploit this problem, which is made possible by the third issue discovered by Rapid7.
The CloudPanel document is warning of this issue with the following message:
“For security reasons, access CloudPanel as fast as possible to create the admin user. There is a small time window where bots can create the user. If possible, open port 8443 only for your IP via firewall,” explains CloudPanel in their .
The third flaw is tracked as CVE-2023-0391 and is caused by the CloudPanel installs using a static SSL certificate, enabling attackers to find CloudPanel instances using the certificate’s thumbprint.
More concerning, as the private key on every SSL certificate shipped with CloudPanel is the same, it could allow threat actors to snoop on encrypted HTTPS traffic to CloudPanel servers.
Using the Shodan internet scanning tool, Rapid7 found 5,843 CloudPanel servers using the default certificate, most based in the United States and Germany.
“By chaining together the firewall permissiveness and the reused certificate issues together, an attacker can target and exploit new CloudPanel instances as they are being deployed,” explained Rapid7 Director of Research Tod Beardsley in .
“It’s important to note that CloudPanel is touted to be an easy to use interface for basic Linux administration, is targeted at relatively inexperienced users, and much of the documentation presumes an installation procedure live on the routable internet with a fresh VPS instance.”
Self-hosting is going through a trending phase right now, enjoying a burst of popularity fueled by the rising values of privacy and data control, customization, and cost savings.
CloudPanel is featured prominently on the websites of cloud service providers like AWS, Azure, GCP, and Digital Ocean, promoting it as an easy-to-use administration solution for self-hosted Linux servers.
However, as there are no fixes for the firewall and SSL certificate problems, users are advised to immediately reconfigure their firewall rules after installing CloudPanel, and generate and install their own SSL certificate.
Update 3/24 – CloudPanel has sent BleepingComputer the following comment:
First and foremost, we take the security of our users very seriously and continuously work towards improving our product. We are aware of the issues raised in the report and have been actively working on addressing them.
Regarding the installation process and firewall rules, we understand the balance between security and usability. As with any software installation, there is a level of responsibility on the user’s part to ensure their environment is secure. We provide a tutorial on performing a more secure installation and are always open to feedback from our users.
We want to mention that we have not encountered a single instance where the potential vulnerability of creating an admin user during installation has been exploited. Nonetheless, we are committed to improving this aspect of our product to minimize any risk to our users.
Regarding the SSL certificate issue, we provide a self-signed SSL certificate during the installation process. This will ensure the cryptographic security of HTTPS connections and make it more difficult for automated scans to identify CloudPanel instances.
We understand that the Rapid7 report may raise concerns among our users, but we want to ensure they are actively addressing these issues. We appreciate your patience and understanding as we work towards improving CloudPanel’s security.