CVE-2021-30463 – CVE-2021-30463 is a local privilege escalation ... (How to Fix)

Q: What is the severity of CVE-2021-30463?

CVE-2021-30463 has a CVSS score of 7.8 (HIGH). CVE-2021-30463 is a local privilege escalation vulnerability in VestaCP that allows attackers to gain admin privileges by exploiting symlink creation and unsafe chmod usage. Attackers can read the RKEY value from user.conf and reset the admin password via a specific URI. This affects VestaCP installations up to version 0.9.8-24.

📋 TL;DR

CVE-2021-30463 is a local privilege escalation vulnerability in VestaCP that allows attackers to gain admin privileges by exploiting symlink creation and unsafe chmod usage. Attackers can read the RKEY value from user.conf and reset the admin password via a specific URI. This affects VestaCP installations up to version 0.9.8-24.

💻 Affected Systems

Products:

VestaCP

Versions: through 0.9.8-24

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations within the affected version range are vulnerable. The vulnerability requires local user access to exploit.

📦 What is this software?

Control Panel by Vestacp

View all CVEs affecting Control Panel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where attackers gain root/admin access, allowing them to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Attackers gain administrative control of the VestaCP panel, enabling them to modify configurations, access hosted websites, and potentially compromise hosted services.

🟢

If Mitigated

Limited impact with proper access controls, monitoring, and network segmentation preventing lateral movement.

🌐 Internet-Facing: HIGH - VestaCP is typically exposed to the internet for web hosting management, making it directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers with user access could exploit this to gain administrative privileges within the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local user access first. The vulnerability chain involves symlink creation followed by password reset exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.8-25 and later

Vendor Advisory: https://vestacp.com/roadmap/#0.9.8-25

Restart Required: No

Instructions:

1. Backup current configuration. 2. Update VestaCP using the official update script: 'v-update-sys-vesta-all'. 3. Verify version is 0.9.8-25 or higher.

🔧 Temporary Workarounds

Restrict symlink creation

linux

Prevent users from creating symlinks to sensitive files

chmod 750 /usr/local/vesta/data/users
chmod 640 /usr/local/vesta/data/users/*/user.conf

Disable password reset functionality

linux

Temporarily disable the vulnerable password reset endpoint

mv /usr/local/vesta/web/reset /usr/local/vesta/web/reset.disabled

🧯 If You Can't Patch

Implement strict file permission controls on /usr/local/vesta/data/users directory
Monitor for symlink creation attempts and unauthorized password reset requests

🔍 How to Verify

Check if Vulnerable:

Check VestaCP version: 'v-list-sys-vesta-version' and verify if version is 0.9.8-24 or earlier

Check Version:

v-list-sys-vesta-version

Verify Fix Applied:

Verify version is 0.9.8-25 or later: 'v-list-sys-vesta-version | grep -E "0.9.8-2[5-9]|0.9.9"'

📡 Detection & Monitoring

Log Indicators:

Unusual symlink creation in /usr/local/vesta/data/users/
Password reset requests for admin account from non-admin users
Failed authentication attempts followed by successful password resets

Network Indicators:

HTTP requests to /reset/?action=confirm&user=admin&code= from unexpected sources

SIEM Query:

source="vestacp" AND (uri_path="/reset/" AND uri_query="action=confirm&user=admin" OR process="chmod" AND file_path="/usr/local/vesta/data/users/")

📊 Metadata

CVE ID: CVE-2021-30463

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-59

Published: April 8, 2021

Last Updated: November 21, 2024

🔗 References

https://ssd-disclosure.com/ssd-advisory-vestacp-lpe-vulnerabilities/ Exploit,Third Party Advisory
https://ssd-disclosure.com/ssd-advisory-vestacp-lpe-vulnerabilities/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-30463, you might also want to check these: