CVE-2019-9859

Vulnerability

Vesta Control Panel (VestaCP) versions 0.9.7 through 0.9.8-23 are vulnerable to an authenticated command injection. The platform uses PHP for the frontend and shell scripts for system actions. User input is passed to the exec function, which is intended to be sanitized with PHP's escapeshellarg. However, in several places, such as web/list/dns/index.php, the code wraps the result of escapeshellarg in additional single quotes: exec (VESTA_CMD."v-list-dns-records '".$user."' '".escapeshellarg($_GET['domain'])."' 'json'", ...). Because escapeshellarg already encloses the value in single quotes, this produces a double-quoting error that breaks the intended argument boundary, allowing shell metacharacters to be interpreted.

Exploitation

An attacker must have a valid authenticated session in VestaCP. By supplying a crafted domain parameter containing spaces and shell metacharacters (e.g., a single quote to close the extra single quote, followed by injected commands), the attacker can break out of the intended argument and execute arbitrary shell commands. No additional privileges beyond a standard user account are required; the shell commands run with the privileges of the web server, which often has full root access via sudo or SUID binaries.

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands as root, leading to complete compromise of the server. This includes the ability to read, modify, or delete all data, install backdoors, pivot to other systems, and disrupt service availability.

Mitigation

The vendor released a fixed version on April 15, 2020 [1]. Users should upgrade to the patched release immediately. No workarounds are documented; the only safe mitigation is to apply the update or, if not possible, restrict access to the VestaCP web interface to trusted networks only.