Security News > 2023 > March > CloudPanel installations use the same SSL certificate private key
Self-hosted web administration solution CloudPanel was found to have several security issues, including using the same SSL certificate private key across all installations and unintentional overwriting of firewall rules to default to weaker settings.
Attackers would need to find fresh CloudPanel installations to exploit this problem, which is made possible by the third issue discovered by Rapid7.
"For security reasons, access CloudPanel as fast as possible to create the admin user. There is a small time window where bots can create the user. If possible, open port 8443 only for your IP via firewall," explains CloudPanel in their installation documentation.
The third flaw is tracked as CVE-2023-0391 and is caused by the CloudPanel installs using a static SSL certificate, enabling attackers to find CloudPanel instances using the certificate's thumbprint.
More concerning, as the private key on every SSL certificate shipped with CloudPanel is the same, it could allow threat actors to snoop on encrypted HTTPS traffic to CloudPanel servers.
As there are no fixes for the firewall and SSL certificate problems, users are advised to immediately reconfigure their firewall rules after installing CloudPanel, and generate and install their own SSL certificate.
News URL
Related news
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-03-21 | CVE-2023-0391 | Use of Hard-coded Credentials vulnerability in Mgt-Commerce Cloudpanel MGT-COMMERCE CloudPanel ships with a static SSL certificate to encrypt communications to the administrative interface, shared across every installation of CloudPanel. | 8.1 |