Security News > 2022 > January > Linux Servers at Risk of RCE Due to Critical CWP Bugs

Researchers have discovered two critical bugs in Control Web Panel - a popular web hosting management software used by 200K+ servers - that could allow for remote code execution as root on vulnerable Linux servers.

CWP, formerly known as CentOS Web Panel, is an open-source Linux control panel software used for creating and managing web hosting environments.

The software supports the operating systems CentOS, Rocky Linux, Alma Linux and Oracle Linux.

In order to exploit the vulnerability, inject malicious code from a remote resource and execute code execution, an attacker would simply need to alter the include statement, which is used to insert the content of one PHP file into another PHP file before the server executes it.

To do so requires bypassing security protections to prevent attackers from reaching the restricted API section without authentication: a feat that can be accomplished by registering an API key using the file inclusion bug and creating a malicious authorized keys file on the server using the file write flaw.

Octagon will be be releasing a full proof of concept for achieving the preauth RCE "Once enough servers migrate to the latest version," according to the report.

News URL

https://threatpost.com/linux-servers-rce-critical-cwp-bugs/177906/