CVE-2021-28379 – This vulnerability in Vesta Control Panel allow... (How to Fix)

Q: What is the severity of CVE-2021-28379?

CVE-2021-28379 has a CVSS score of 8.8 (HIGH). This vulnerability in Vesta Control Panel allows attackers to upload files from different origins due to improper access controls in the upload handler. It affects VestaCP through version 0.9.8-27 and myVesta through 0.9.8-26-39, potentially enabling unauthorized file uploads and subsequent code execution.

📋 TL;DR

This vulnerability in Vesta Control Panel allows attackers to upload files from different origins due to improper access controls in the upload handler. It affects VestaCP through version 0.9.8-27 and myVesta through 0.9.8-26-39, potentially enabling unauthorized file uploads and subsequent code execution.

💻 Affected Systems

Products:

Vesta Control Panel
myVesta

Versions: VestaCP through 0.9.8-27, myVesta through 0.9.8-26-39

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations with default configurations; requires web interface access.

📦 What is this software?

Myvesta by Myvestacp

View all CVEs affecting Myvesta →

Vesta Control Panel by Vestacp

View all CVEs affecting Vesta Control Panel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Unauthorized file upload allowing web shell deployment, defacement, or malware distribution.

🟢

If Mitigated

Limited impact with proper network segmentation and file upload restrictions in place.

🌐 Internet-Facing: HIGH - Directly accessible upload functionality exposed to internet attackers.

🏢 Internal Only: MEDIUM - Still vulnerable to internal threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires CSRF or authenticated access; public exploit code exists in Packet Storm references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: VestaCP 0.9.8-28+, myVesta 0.9.8-26-40+

Vendor Advisory: https://github.com/myvesta/vesta/commit/3402071e950e76b79fa8672a1e09b70d3860f355

Restart Required: No

Instructions:

1. Update VestaCP using 'v-update-sys-vesta-all' command. 2. Verify version with 'v-list-sys-vesta'. 3. Apply commit 3402071e950e76b79fa8672a1e09b70d3860f355 if manual patch needed.

🔧 Temporary Workarounds

Restrict Upload Origins

linux

Modify UploadHandler.php to validate request origins

sed -i "s/if(isset(\$_FILES)) {/if(isset(\$_FILES) && \$_SERVER['HTTP_ORIGIN'] === 'expected-origin') {/" /usr/local/vesta/web/upload/UploadHandler.php

Disable Upload Handler

linux

Temporarily disable vulnerable upload endpoint

mv /usr/local/vesta/web/upload/UploadHandler.php /usr/local/vesta/web/upload/UploadHandler.php.disabled

🧯 If You Can't Patch

Implement strict WAF rules to block unauthorized upload requests
Restrict network access to VestaCP web interface using firewall rules

🔍 How to Verify

Check if Vulnerable:

Check if UploadHandler.php exists at /usr/local/vesta/web/upload/ and examine version with 'v-list-sys-vesta'

Check Version:

v-list-sys-vesta

Verify Fix Applied:

Confirm version is 0.9.8-28+ for VestaCP or 0.9.8-26-40+ for myVesta, and check UploadHandler.php for origin validation

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /upload/UploadHandler.php
File uploads from unexpected IP addresses or user agents

Network Indicators:

HTTP POST traffic to upload endpoint with suspicious file types
Cross-origin requests to upload handler

SIEM Query:

source="vesta_access.log" AND uri_path="/upload/UploadHandler.php" AND http_method="POST"

📊 Metadata

CVE ID: CVE-2021-28379

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: March 15, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/161836/VestaCP-0.9.8-Cross-Site-Request-Forgery.html Exploit,Third Party Advisory
https://github.com/myvesta/vesta/commit/3402071e950e76b79fa8672a1e09b70d3860f355 Patch,Third Party Advisory
http://packetstormsecurity.com/files/161836/VestaCP-0.9.8-Cross-Site-Request-Forgery.html Exploit,Third Party Advisory
https://github.com/myvesta/vesta/commit/3402071e950e76b79fa8672a1e09b70d3860f355 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28379, you might also want to check these: