CVE-2019-18418
📋 TL;DR
CVE-2019-18418 is a critical authentication bypass vulnerability in ClonOS WEB control panel that allows remote attackers to change any user's password without authentication. This occurs because the clonos.php endpoint lacks proper session management. All systems running ClonOS WEB control panel 19.09 are affected.
💻 Affected Systems
- ClonOS WEB control panel
📦 What is this software?
Clonos by Clonos
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers gain administrative access to the control panel, potentially leading to full control of virtual machines, containers, and underlying infrastructure.
Likely Case
Attackers gain administrative access to the ClonOS control panel, allowing them to create/modify/delete virtual machines, containers, and system configurations.
If Mitigated
With proper network segmentation and access controls, impact is limited to the ClonOS management interface only.
🎯 Exploit Status
Exploitation requires sending a simple HTTP POST request to the vulnerable endpoint with minimal technical knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 19.09
Vendor Advisory: https://github.com/Andhrimnirr/ClonOS-WEB-control-panel-multi-vulnerability
Restart Required: No
Instructions:
1. Upgrade to a version after 19.09. 2. Verify the patch by checking that clonos.php now requires proper authentication. 3. Change all user passwords as they may have been compromised.
🔧 Temporary Workarounds
Block access to vulnerable endpoint
allUse web server configuration or firewall rules to block access to clonos.php
# For nginx: location ~ clonos\.php$ { deny all; }
# For Apache: <Files "clonos.php"> Require all denied </Files>
# For iptables: iptables -A INPUT -p tcp --dport 80 -m string --string "clonos.php" --algo bm -j DROP
Implement reverse proxy with authentication
linuxPlace ClonOS behind a reverse proxy that requires authentication before reaching the vulnerable endpoint
# Example nginx config with basic auth: location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_pass http://clonos_backend; }
🧯 If You Can't Patch
- Isolate the ClonOS management interface to a dedicated VLAN with strict access controls
- Implement network-based intrusion detection to monitor for password change attempts on clonos.php
🔍 How to Verify
Check if Vulnerable:
Send a POST request to /clonos.php with password change parameters without authentication. If it succeeds, the system is vulnerable.Check Version:
Check the ClonOS version in the web interface or configuration files. The exact command depends on installation method.Verify Fix Applied:
Attempt the same POST request after patching. It should return an authentication error or redirect to login.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to clonos.php without preceding authentication
- Successful password changes from unauthenticated IP addresses
- Multiple failed login attempts followed by password change requests
Network Indicators:
- Unusual POST requests to clonos.php endpoint
- Traffic patterns showing password change requests without authentication
SIEM Query:
source="web_logs" AND uri="/clonos.php" AND method="POST" AND NOT (user!="-" OR auth_success="true")🔗 References
- http://packetstormsecurity.com/files/154986/ClonOs-WEB-UI-19.09-Improper-Access-Control.html
- https://github.com/Andhrimnirr/ClonOS-WEB-control-panel-multi-vulnerability
- http://packetstormsecurity.com/files/154986/ClonOs-WEB-UI-19.09-Improper-Access-Control.html
- https://github.com/Andhrimnirr/ClonOS-WEB-control-panel-multi-vulnerability
