SolusVM is a popular virtualization management solution used by many VPS providers.  It’s a familiar control panel for end users, who use it to setup their VPSes.  Most providers offer templates, which are pre-configured Linux systems based on the most common distros – CentOS, Debian, Ubuntu, Arch, etc.

These templates are provided by SolusVM.  Unfortunately, one of the most popular template (Debian 10) has been found to have a serious security vulnerability.  If you setup your VPS using the Debian 10 template, you need to take action.

What’s the Issue?

The SolusVM-provided Debian 10 template contains a user called “debianuser”.  This user may still exist after setup, in which an outsider could potentially access your VM.

Am I Vulnerable?

You may be if both these things are true:

• You installed Debian 10
• You installed it from a SolusVM-provided template

Contact your provider and ask about your situation.  Several prominent providers have already sent out warning emails.

Any Other Details?

It appears that a hacker would need to authenticate as debianuser using a password.  If you have disabled password authentication (i.e., you’re only allowing ssh key authentication) you should be safe.  But it’s something you would have had to do very soon after install, otherwise you don’t know what happened before you made that change.

How Do I Fix This?

Unfortunately, the only way to truly fix it is to reinstall your VPS.

I Installed Debian 10 From ISO – Am I Vulnerable?

No.

What Are Signs of Compromise?

This vulnerability has been associated with the CrytoNight miner.  If you see a process called ‘cnrig’ on your system, you have definitely been compromised.  However, it’s worth pointing out that a sophisticated hacker could replace the tools you use (ps, grep, etc.) to see if that process is running with compromised versions that don’t allow you to see it.

You can also see if the debianuser user account exists:

# grep debianuser /etc/passwd
debianuser:x:1000:1000:DebianUser,,,:/home/debianuser:/bin/bash

I’m Too Busy Getting Ready to Play in the SuperBowl to Reinstall Right Now – Anything I Can in the Meantime?

You can delete the debianuser account (userdel debianuser) and turn off password authentication (start here).  Also, if you see any process called ‘cnrig’ you should kill it.

But to emphasize: once a hacker’s been on your box, you have no way of knowing what he’s done or what the state of your system is.

Can’t I Just Install a Patch?

Unlike a software vulnerability, this is more of an administrative vulnerability.  There is nothing wrong with the software on your system.  SolusVM just forgot to delete an account.  This can’t be patched away.

Your provider should replace their template, but that will only help future installs.

How Long Has This Exploit Been in the Wild?

At least since October 2020, if not earlier.

Where Can I Learn More?

You can read the relevant thread on LowEndTalk

• Author
• Recent Posts

raindog308

Dread Lord of LowEnd Content at LowEndBox

I'm raindog308, techno polymath and long-time LowEndTalk community Administrator. My technical interests include all things Unix, perl, python, golang, shell scripting, vintage operating systems such as MVS, and relational database systems such as Oracle, PostgreSQL, and MySQL.

I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.

I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308

Latest posts by raindog308 (see all)

• AI Pushes the Doomsday Clock a Second Closer to Midnight - January 29, 2025
• QuadraNet’s LA Datacenter Has Been Offline for Five Days - January 28, 2025
• Vote For Your Favorite Provider and Win Prizes!Provider Poll 2024 is Open! - January 28, 2025