HestiaCP IP Spoofing Vulnerability Bypasses Authentication Controls

An IP spoofing vulnerability has been identified in HestiaCP versions 1.2.0 through 1.9.4. This vulnerability allows unauthenticated remote attackers to bypass authentication security measures by injecting arbitrary IP addresses into the CF-Connecting-IP HTTP header. The issue arises because the application does not verify whether the request originated from Cloudflare's network. Exploitation of this vulnerability can circumvent fail2ban's brute-force protection, bypass per-user IP allowlists, and corrupt authentication audit logs by spoofing trusted IP addresses with each request.

Impact

Exploitation of this vulnerability can lead to successful authentication bypass, allowing attackers to impersonate users and gain unauthorized access to the application.

Reproduction

To reproduce this vulnerability, send a request to the HestiaCP server on port 8083 with a spoofed CF-Connecting-IP header. The server will accept the injected IP address without verification, bypassing authentication controls and allowing access to protected resources.

Remediation

Users are advised to update to the latest version of HestiaCP, where this vulnerability has been fixed. As an immediate measure, restrict access to port 8083 to trusted IP ranges at the firewall level.