CVE-2021-30462

Vulnerability

VestaCP through version 0.9.8-24 configures sudo to allow the admin user to run scripts in /usr/local/vesta/bin without requiring a password [1]. This misconfiguration enables any admin to execute arbitrary commands as root by invoking these scripts or placing a malicious script in that directory [1].

Exploitation

An attacker with valid admin panel credentials can first obtain a shell as the admin user, for example by creating a cron job that sends a reverse shell [1]. Once an admin shell is obtained, the attacker can run any script in /usr/local/vesta/bin via sudo without authentication, e.g., sudo /usr/local/vesta/bin/v-change-user-password with crafted arguments to execute arbitrary commands as root [1].

Impact

Successful exploitation grants full root privileges on the server, allowing the attacker to read, modify, or delete any file, install malware, pivot to other systems, and completely compromise the host [1].

Mitigation

No official patch has been released by VestaCP; the vendor stopped responding [1]. The recommended mitigation is to migrate to actively maintained forks such as myVestaCP or HestiaCP, which have patched the vulnerability [1]. Alternatively, administrators can manually edit the sudoers file to require a password for the admin user when running scripts in /usr/local/vesta/bin [1].