CVE-2018-1000884

Vulnerability

The vulnerability resides in the password reset functionality in web/reset/index.php at line 51. The comparison $rkey == $_POST['code'] uses a non-constant-time string comparison, creating a timing discrepancy (CWE-208). All releases prior to 0.9.8-18 (commit f6f6f9cfbbf2979e301956d1c6ab5c44386822c0) are affected. The code path is reachable by any unauthenticated user who can access the password reset endpoint [1].

Exploitation

An unauthenticated attacker with network connectivity can send multiple password reset code guesses and measure response times. By observing timing differences, the attacker can iteratively determine the correct reset code character by character. No prior authentication or user interaction is required. The attack is feasible over the network.

Impact

Successful exploitation allows the attacker to determine the password reset code for any user, including the administrator. With the code, the attacker can change the administrator password and gain full control of the Vesta CP instance, leading to complete compromise of the hosting control panel and its managed services.

Mitigation

The fix was implemented in commit f6f6f9cfbbf2979e301956d1c6ab5c44386822c0, which replaces the vulnerable comparison with hash_equals() for constant-time comparison. This fix is included in release version 0.9.8-19. Users should upgrade to 0.9.8-19 or later. No workaround is available for unpatched versions. The vulnerability is not listed in CISA KEV as of the publication date.