Two security vulnerabilities affecting the Control Web Panel (CWP) software have been discovered and announced that allow an unauthenticated attacker to perform remote code execution (RCE) as root on vulnerable Linux servers.
CWP (formerly known as CentOS Web Panel) is a free Linux control panel for managing dedicated web hosting servers and virtual private servers.
Two security vulnerabilities discovered by Paulos Yibelo of Octagon Networks are a file insertion vulnerability (CVE-2021-45467) and a file writing (CVE-2021-45466) bug that, when combined, allow remote code execution attacks.
For a successful attack, security protections must be bypassed so that an attacker cannot reach restricted API sections without authentication.
This can be done by registering an API key using a file inclusion glitch and creating a malicious authorized_keys file on the server using a file write glitch.
Octagon Networks said that while the file include vulnerability in CVE-2021-45467 has been patched, it has seen “some people reverse the patch and exploit some servers.
They have stated that they will release a proof-of-concept exploit for this RCE chain after a sufficient number of Linux servers running CWP have been upgraded to the latest version.
According to the CWP developers, this software supports CentOS, Rocky Linux, Alma Linux, and Oracle Linux operating systems.
The CWP website states that there are about 30,000 servers running CWP, but about 80,000 CWP servers have been found exposed on the Internet by BinaryEdge.
The researcher who discovered the pre-certified RCE chain also said that more than 200,000 units have been found in Shodan and Censys.
Comments