Recently the DigitalOcean team informed us about a possible vulnerability in the CyberPanel image that was available on the DigitalOcean Marketplace. Upon further investigation, we found that there was an API endpoint used by an attacker to put their SSH key onto the cyberpanel user. That API endpoint requires authentication so they would brute force your credentials.
After the initial incident reports, we started working on a more secure and locked down version of CyberPanel, while we continue to investigate the issue. We take security very seriously, which is why during past few weeks we’ve made some major changes related to security. These changes include:
- Removed the API Endpoint that the attacker used to enter the SSH key.
- API access now needs to be enabled before you can connect to Platform or Third party modules. Later we will add IP based access to API.
- The cyberpanel user is removed from sudo group, and a more secure environment is provided where root escalation is needed.
- We’ve also removed gunicorn as our backend server, and now LSCPD will directly serve CyberPanel.
- Login is disabled for the cyberpanel user with no shell assigned to it.
- /tmp is now mounted with noexec,nosuid,nodev,nofail flags by default.
If you are not on version 1.8.2, it is highly recommended to upgrade as soon as possible to avoid any issues in the future.
Minor features and Bug fixes
Apart from the security updates, we have also added minor features and bug fixes:
- Bug fix, that now allows git private repos to be attached.
- Search websites on List Websites page.
- Major bug fixes to Backup Engine (Remote and Scheduled Backups).
- Rewrite Templates on top of Rewrite Rules Box.
- Random Password Generator.
- Enable/Disable API Access.
The post CyberPanel 1.8.2 Released – Security Release first appeared on CyberPanel.