LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Vulnerability in Debian 10 SolusVM Templates – You Need to Take Action

Tags: , , , Date/Time: February 3, 2021 @ 4:51 pm, by raindog308

SolusVM is a popular virtualization management solution used by many VPS providers.  It’s a familiar control panel for end users, who use it to setup their VPSes.  Most providers offer templates, which are pre-configured Linux systems based on the most common distros – CentOS, Debian, Ubuntu, Arch, etc.

These templates are provided by SolusVM.  Unfortunately, one of the most popular template (Debian 10) has been found to have a serious security vulnerability.  If you setup your VPS using the Debian 10 template, you need to take action.

What’s the Issue?

The SolusVM-provided Debian 10 template contains a user called “debianuser”.  This user may still exist after setup, in which an outsider could potentially access your VM.

Am I Vulnerable?

You may be if both these things are true:

  • You installed Debian 10
  • You installed it from a SolusVM-provided template

Contact your provider and ask about your situation.  Several prominent providers have already sent out warning emails.

Any Other Details?

It appears that a hacker would need to authenticate as debianuser using a password.  If you have disabled password authentication (i.e., you’re only allowing ssh key authentication) you should be safe.  But it’s something you would have had to do very soon after install, otherwise you don’t know what happened before you made that change.

How Do I Fix This?

Unfortunately, the only way to truly fix it is to reinstall your VPS.

I Installed Debian 10 From ISO – Am I Vulnerable?

No.

What Are Signs of Compromise?

This vulnerability has been associated with the CrytoNight miner.  If you see a process called ‘cnrig’ on your system, you have definitely been compromised.  However, it’s worth pointing out that a sophisticated hacker could replace the tools you use (ps, grep, etc.) to see if that process is running with compromised versions that don’t allow you to see it.

You can also see if the debianuser user account exists:

# grep debianuser /etc/passwd
debianuser:x:1000:1000:DebianUser,,,:/home/debianuser:/bin/bash

I’m Too Busy Getting Ready to Play in the SuperBowl to Reinstall Right Now – Anything I Can in the Meantime?

You can delete the debianuser account (userdel debianuser) and turn off password authentication (start here).  Also, if you see any process called ‘cnrig’ you should kill it.

But to emphasize: once a hacker’s been on your box, you have no way of knowing what he’s done or what the state of your system is.

Can’t I Just Install a Patch?

Unlike a software vulnerability, this is more of an administrative vulnerability.  There is nothing wrong with the software on your system.  SolusVM just forgot to delete an account.  This can’t be patched away.

Your provider should replace their template, but that will only help future installs.

How Long Has This Exploit Been in the Wild?

At least since October 2020, if not earlier.

Where Can I Learn More?

You can read the relevant thread on LowEndTalk

 

 

I'm Andrew, techno polymath and long-time LowEndTalk community Moderator. My technical interests include all things Unix, perl, python, shell scripting, and relational database systems. I enjoy writing technical articles here on LowEndBox to help people get more out of their VPSes.

No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published. Required fields are marked *