Vulnerability in SolusVM Debian 10 template - "debianuser" backdoor/default user
This is currently an active topic on the OGF.
HostHatch has already sent out comms regarding this.
Your urgent action is required - please read this in full.
We have detected a security vulnerability in our Debian 10 template and our records indicate that you have installed a VM with this template. If you have since then reinstalled your VM to any template other than Debian 10, or used an ISO to reinstall your VM, you can ignore this email.
If you have multiple VMs, you can check the OS used for your VMs at manage.hosthatch.com. We ask you to reinstall your VM to any template available ASAP, the Debian 10 template has been patched and updated and is safe to use again.
If no action is taken we might have to restrict access to your VM from our end until fixed.
Please contact us at [email protected] if you require any assistance to identify or reinstall VMs.
Due to security purposes we cannot disclose further details about the security vulnerability at this point.
How could this happen?
We use SolusVM as our backend virtualization platform, it is a leading provider operated by Plesk. We are using their official templates. Unfortunately this particular template had an issue which resulted in this security vulnerability. They are aware of the situation.
How was it fixed?
We have patched the template with help from SolusVM and they also helped us to confirm that no other templates are affected.
How will this be prevented in the future?
The current templates have been audited, and for new future templates we will use the official cloud images provided by the different Linux distributions themselves, known as "cloud images". This hasn't been possible in the past due to restrictions in the platform, but we have been working on a new backend for some time, which will support this in time for future Linux distributions and their images.
For customers that require full control of exactly how their VM is installed, we recommend using an ISO to install it manually.
We are truly sorry for the inconvenience and we will continue to monitor this and reach out again if necessary.
So if you've acquired your templates from Solus, please investigate in your respective environments.