1. Introduction
SolusVM Detection identifies instances of the Solus Virtual Manager control panel running on a web server. This is a virtual server management system, often used by hosting providers to allow customers to manage their own virtual machines. Knowing this software is present helps with asset inventory and risk assessment as it represents a potential attack surface. A successful exploit could lead to compromise of the entire SolusVM installation and potentially all hosted virtual servers, impacting confidentiality, integrity, and availability.
2. Technical Explanation
SolusVM is a PHP-based web application used for managing KVM based virtual machines. The vulnerability isn’t a specific flaw but the presence of the software itself which presents an attack surface. Attackers will scan for exposed SolusVM instances to attempt exploitation, often through known vulnerabilities in older versions or default configurations. A typical attack involves exploiting PHP code execution flaws within the web interface to gain control of the server.
- Root cause: The presence of a publicly accessible web application with a history of security issues.
- Exploit mechanism: An attacker could attempt to exploit vulnerabilities in the SolusVM PHP code via crafted HTTP requests, potentially leading to remote command execution. For example, an older version might be vulnerable to SQL injection through its login form.
- Scope: Affected platforms are servers running SolusVM, typically Linux distributions used for hosting virtual machines. Specific versions depend on the deployment but any publicly accessible instance is in scope.
3. Detection and Assessment
Confirming a system runs SolusVM can be done quickly through banner grabbing or by examining web server responses. A more thorough assessment involves checking specific files and directories associated with the software.
- Quick checks: Use
curl -Iand look for headers identifying PHP or SolusVM in the response. - Scanning: Nessus plugin ID 16283 can detect SolusVM installations, but results should be verified manually.
- Logs and evidence: Web server access logs may show requests to paths like /admin/ or /vps/. Check for unusual activity related to these directories.
curl -I http://your_target_ip
4. Solution / Remediation Steps
The primary solution is to secure the SolusVM installation, limit access, or remove it if no longer needed. These steps aim to reduce exposure and potential impact.
4.1 Preparation
- Dependencies: Ensure you have access to the server’s command line and appropriate permissions. A roll back plan involves restoring the backed-up database and configuration, then restarting the web server.
- A change window may be needed for significant updates or restarts. Approval from the system owner is recommended.
4.2 Implementation
- Step 1: Restrict access to the SolusVM web interface using firewall rules, allowing only trusted IP addresses.
- Step 2: Update SolusVM to the latest version if possible. Check https://solusvm.com/ for available updates.
- Step 3: Implement strong password policies and multi-factor authentication for all SolusVM administrator accounts.
4.3 Config or Code Example
Before
# Apache configuration allowing access from any IP address
Allow from all
After
# Apache configuration restricting access to trusted IPs only
Allow from 192.168.1.0/24
Allow from 10.0.0.0/24
Deny from all
4.4 Security Practices Relevant to This Vulnerability
Several security practices can mitigate the risks associated with running a web application like SolusVM. Least privilege limits damage, input validation prevents attacks, and regular patching keeps software secure.
- Practice 1: Implement least privilege access control, limiting user permissions within SolusVM to only what is necessary.
- Practice 2: Enforce input validation on all web application forms to prevent injection attacks.
4.5 Automation (Optional)
# Example Bash script to update firewall rules using iptables (use with caution!)
#!/bin/bash
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -j DROP # Drop all other incoming connections
service iptables save
5. Verification / Validation
Confirm the fix by checking firewall rules and verifying access is restricted to authorized IPs. Re-test using the earlier detection methods to ensure SolusVM is no longer publicly accessible.
- Post-fix check: Use
iptables -Lto confirm the new firewall rules are in place, blocking unwanted traffic. - Re-test: Run
curl -Ifrom an unauthorized IP address and verify a connection timeout or error message is received. - Smoke test: Verify that authorized users can still log into SolusVM and manage their virtual machines.
- Monitoring: Monitor web server logs for blocked requests originating from untrusted IPs.
iptables -L
6. Preventive Measures and Monitoring
Regular security baselines, CI/CD pipeline checks, and a robust patch management process are key to preventing similar issues. For example, regularly update your server’s operating system and web application software.
- Baselines: Update security baselines to include firewall rules restricting access to sensitive applications like SolusVM.
- Pipelines: Add static code analysis (SAST) checks in CI/CD pipelines to identify potential vulnerabilities in web application code.
- Asset and patch process: Implement a regular patch review cycle for all servers, prioritizing security updates.
7. Risks, Side Effects, and Roll Back
Incorrect firewall rules could block legitimate access. Restoring backups is the primary roll back method.
- Risk or side effect 2: Updating SolusVM could introduce compatibility issues with existing virtual machines. Mitigation: Test updates in a non-production environment first.
- Roll back: 1) Restore the backed-up SolusVM database and configuration files. 2) Restart the web server service. 3) Verify access is restored.
8. References and Resources
- Vendor advisory or bulletin: https://solusvm.com/