Back nearly a month ago, we shared a story about how OuiHeberg, a hosting provider, had disclosed a breach to its members. You can read their email to their users in the LowEndTalk thread.
This promised to be a pretty hot thread. To refresh your member, @virtualizor commented:
We would just like to add that this security breach is not caused by Virtualizor as per the details shared by the Ouiheberg team.
Our internal teams have successfully reproduced the attack by executing a payload via their WHMCS add-on in communication with their API. Virtualizor denies this attack vector and has asked us to deny it as well to avoid “damaging” their brand image. The result is that the attacker did indeed go through Virtualizor via the WHMCS add-on.
And then promised:
We will communicate exactly how to exploit the vulnerability to Virtualizor in a video so that they can ‘try’ to patch this type of attack.
All right, get our your popcorn, kids!
Er…
Well, sorry if your popcorn got cold. Because as of this writing, OuiHeberg has never shared any proof of this Virtualizor bug.
Virtualizor followed up in the thread:
When we first posted that the attack was not carried out via Virtualizor, we had already been in communication with @ouiheberg. We were unable to reproduce the claimed attack scenario. We requested further data, but received no reply from @ouiheberg for two days, even after a follow-up. Consequently, we posted that the claim of the attack being conducted via Virtualizor could not be substantiated at that time.
Following our post, we are still awaiting the attack video that @ouiheberg is expected to share. If a genuine Proof-of-Concept (POC) existed, we would have issued a patch by now.
We had verified what was given and could not reproduce it as it was not a full POC or substantive proof. And after passage of time and no response we had to make the post stating this fact that for the current details provided by the OuiHeberg team, this was not a Virtualizor exploit. We still await further details from the OuiHeberg team.
We routinely audit Virtualizor for security flaws, so this is news to us.
The individual who contacted Virtualizor claimed to have a working exploit related to a module for a popular billing platform, but offered no factual information or proof-of-concept. They referenced specific lines of code that make no sense in terms of being exploitable in real-world scenarios, nor do they represent any meaningful attack vector from what we can see…
As of November 18, Virtualizor was still waiting:
Update : We have not yet received any further details / PoC / substantive proof of Virtualizor being vulnerable.
Five days later, they repeated their status:
Update : Multiple reminders have been sent to @ouiheberg . We have not yet received any further details / PoC / substantive proof of Virtualizor being vulnerable.
And there it stands.
I can certainly understand that OuiHeberg’s priority was to fix their environment and take care of their customers. But going on a month, you’d think they’d have had time to put together a brief explanation of what happened, especially since they called Virtualizor out in public.
Given that there’s been plenty of time to document the bug (never mind making a video, just a brief description of the problem), I think we have to conclude that Virtualizor was not at fault here.
So…what was?
Related Posts:
Nyr's Legendary Road Warrior Script: Still the Rock Solid Go-To for Easy VPN!
Provider Claims Virtualizor WHMCS Plugin Vulnerability Caused Breach. Virtualizor Doesn't Agree.
If Your Biometric Data is Stolen, Should You Care? Probably Not.
Knock, Knock: How to Shield Your VPS From Port Scanning with Port Knocking
So How Exactly Do You Learn About Security Issues on Your VPS?
Tighten Up Your VPS With an SSH Audit! Let's Look at the ssh-audit Package...Does OpenBSD Score Hig...
Raindog308 is a longtime LowEndTalk community administrator, technical writer, and self-described techno polymath. With deep roots in the *nix world, he has a passion for systems both modern and vintage, ranging from Unix, Perl, Python, and Golang to shell scripting and mainframe-era operating systems like MVS. He’s equally comfortable with relational database systems, having spent years working with Oracle, PostgreSQL, and MySQL.
As an avid user of LowEndBox providers, Raindog runs an empire of LEBs, from tiny boxes for VPNs, to mid-sized instances for application hosting, and heavyweight servers for data storage and complex databases. He brings both technical rigor and real-world experience to every piece he writes.
Beyond the command line, Raindog is a lover of German Shepherds, high-quality knives, target shooting, theology, tabletop RPGs, and hiking in deep, quiet forests.
His goal with every article is to help users, from beginners to seasoned sysadmins, get more value, performance, and enjoyment out of their infrastructure.
You can find him daily in the forums at LowEndTalk under the handle @raindog308.
Leave a Reply