Vesta Control Panel Supply-Chain Compromise Vulnerability Allowing DDoS Malware Installation

A supply-chain compromise vulnerability has been identified in Vesta Control Panel (VestaCP) installations created from a compromised Debian 9 installer between May 31 and June 13, 2018. The vulnerability allowed the installation of a multi-stage DDoS bot called Linux/ChachaDDoS, which leveraged administrative credentials leaked during the installation process. The compromised servers participated in large-scale DDoS attacks, and VestaCP acknowledged the exploitation in the wild in October 2018.

Impact

The vulnerability led to a supply-chain compromise, with new VestaCP installations unknowingly distributing and installing DDoS malware. The compromised servers were observed participating in large-scale DDoS activities.

Reproduction

The vulnerability can be reproduced by installing Vesta Control Panel from the compromised Debian 9 installer available during the affected period. The installation process inadvertently includes malicious code that exploits the server's resources for DDoS attacks.

Remediation

VestaCP has released a patch for this vulnerability. Users are advised to update their VestaCP installation and change the admin password.