Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
2

CVE-2023-35885

Disclosure Date: June 20, 2023
CVE-2023-35885 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Easy to weaponizeUnauthenticatedVulnerable in default configuration
Technical Analysis

A significant vulnerability has been detected in CloudPanel. The root cause is attributed to the default secret keys’ usage and the default user being set as “clp”.

Vulnerability Description:

  1. No Session Authentication: CloudPanel’s file manager doesn’t enforce session authentication, resulting in a broken access control mechanism.
  2. Cookie Manipulation: The vulnerability can be exploited when the encrypted value of the cookie named “clp-fm” is set using the default secret key. Upon decryption, this cookie’s value is a serialized string.
  3. PHP Object Injection: Attackers can manipulate this decrypted serialized string to reset the user value to the default “clp”. Combined with PHP Object Injection, this can lead to more severe attacks.
  4. Elevated Access: The vulnerability allows attackers to gain unrestricted access to the file manager, where they can then upload malicious files to the main CloudPanel directory.
  5. Privilege Escalation: The default “clp” user possesses ‘sudo nopasswd’ rights, leading to a potential privilege escalation.

Technical Flow of the attack:

  • The component /home/clp/htdocs/app/files/public/file-manager/backend.php receives the encrypted “clp-fm” cookie value.
  • Post decryption, the value is deserialized. Exploiting this step gives attackers opportunities for post-exploitation, such as Remote Code Execution and Local File Disclosures.
  • The deserialized value is utilized as an object – specifically to pass the ‘user’ value to the variable $user.
  • Authentication to the file manager merely requires the “clp-fm” cookie. Once the decrypted cookie is passed, it provides backend unrestricted access. From here, the attacker can gain “clp” user rights, which essentially means root access.

In conclusion, the use of default configurations, the lack of session authentication, and the capability to inject PHP objects cumulatively pose a severe threat, enabling attackers to gain root access in systems using CloudPanel.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • mgt-commerce

Products

  • cloudpanel

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis