Security News > 2022 > January > CWP bugs allow code execution as root on Linux servers, patch now
Two security vulnerabilities that impact the Control Web Panel software can be chained by unauthenticated attackers to gain remote code execution as root on vulnerable Linux servers.
CWP, previously known as CentOS Web Panel, is a free Linux control panel for managing dedicated web hosting servers and virtual private servers.
While the CVE-2021-45467 file inclusion vulnerability was patched, Octagon Networks says that they saw how "Some managed to reverse the patch and exploit some servers."
Octagon Networks says that, while the CVE-2021-45467 file inclusion vulnerability was patched, they saw how "Some managed to reverse the patch and exploit some servers."
The security researchers also said they would release a proof-of-concept exploit for this pre-auth RCE chain after enough Linux servers running CWP will get upgraded to the latest version.
While the CWP site claims that roughly 30,000 servers are running CWP, BleepingComputer found almost 80,000 Internet-exposed CWP servers on BinaryEdge.
News URL
Related news
- Easy-to-use make-me-root exploit lands for recent Linux kernels. Get patching (source)
- DinodasRAT malware targets Linux servers in espionage campaign (source)
- Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution (source)
- Akira Ransomware Gang Extorts $42 Million; Now Targets Linux Servers (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-12-26 | CVE-2021-45467 | Unspecified vulnerability in Control-Webpanel Webpanel In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. | 9.8 |