CVE-2024-54679 - CyberPanel (aka Cyber Panel) Denial of Service
A denial of service (DoS) vulnerability was discovered in Cyber Panel that allows any authenticated user to restart the database by sending requests to the /dataBases/restartMySQL endpoint. This vulnerability occurs in the restartMySQL function in the Cyberpanel/databases/views.py file at line 400, where the action is executed before checking user permissions (ACL). The function first retrieves the user ID from the session (authentication check), then calls the restartMySQL method from the mysqlUtilities class, which executes the database restart command (sudo systemctl restart mariadb). Only after this action does it check if the user is an admin. This lack of an ACL check before executing the restart makes the endpoint accessible to any authenticated user. An attacker with a low-privilege account could exploit this by repeatedly sending requests to the endpoint, causing the database to crash and resulting in a denial of service.
CyberPanel (aka Cyber Panel) Versions through 2.3.7 and (unpatched) 2.3.8
- Login on CyberPanel using a low privileged user account.
- Send a request to
/dataBases/restartMySQLendpoint to restart the database. - Configure burpsuite and send the request to intruder tab.
- In intruder, select Null payloads and run attack indefinitely.
- Observe that the database is crashed and CyberPanel is unavailable.
Vulnerable code
mysqlUtilities.restartMySQL method
- National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-54679
- Patch Commit: https://github.com/usmannasir/cyberpanel/commit/6778ad1eaae41f72365da8fd021f9a60369600dc
Abdul Wassay (hotplugin0x01)