Huge Security Hole in ZPanel 10.1

By Sergey, posted on Monday, October 6, 2014

When it comes to managing a VPS, many of our customers would prefer to install some kind of control panel rather than do it all themselves from the command line. ZPanel is perhaps the most popular choice for this. We even offered ZPanel 10.1 as a pre-made image -- it was a very recent version (10.1.1 is the most recent at the time of writing), and there are no published security announcements relating to it.

We thought it was safe.

Imagine our surprise when, over the course of a weekend, numerous chunks were simultaneously rooted and turned into DDoS zombies! It didn't take us a long to realize that they were all running zpanel, and most were running the "safe" version we offered.

More googling eventually dragged up this blog post in Spanish, written by the security researcher who discovered the problem, where he explains how it works. We also found a blackhat exploit salesman trying to sell it for $400. Oops!

According to the security researcher, he discovered this unauthenticated remote root exploit in ZPanel 10.1 back in February 2014 and reported it to the ZPanel developers. They released 10.1.1 a month later, and made no announcements of any kind about the problem -- no security alerts, no changelogs, nothing! So, many people kept on using 10.1 and thinking they were safe.

Now that we've got our own house cleaned up, and we'd like the rest of the world to know about this. We no longer recommend ZPanel for our customers, but if you want to use it, you should upgrade early and upgrade often!