HestiaCP Deserialization Vulnerability in Web Terminal Component Allowing Unauthenticated Remote Code Execution

A deserialization vulnerability has been identified in HestiaCP versions 1.9.0 through 1.9.4, specifically within the web terminal component. This vulnerability arises from a session format mismatch between PHP and Node.js, allowing unauthenticated remote attackers to execute code with root privileges. Exploitation involves injecting crafted data into HTTP headers, which are processed by the PHP session handler but incorrectly deserialized by the Node.js web terminal component as trusted session values. This misalignment enables arbitrary command execution on systems with the web terminal feature enabled.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution with root privileges on the affected system.

Reproduction

The vulnerability can be reproduced by sending an HTTP request to a HestiaCP server with the 'X-Forwarded-For' header containing a crafted payload that exploits the session deserialization mismatch. The Node.js web terminal must be enabled on the server. Once the payload is injected, the web terminal can be accessed, and the injected command will be executed with root privileges.

Remediation

Users are advised to disable the web terminal feature immediately and restrict access to the control panel's web interface port (8083) to trusted IP addresses. Both the web terminal vulnerability and the IP spoofing issue have been fixed in the main branch of the HestiaCP repository, but users will need to build from source to apply the patch.