CATEGORIES
home IT/Enterprise

Control Web Panel Security Exploit Leaves 200K Linux Servers Vulnerable To Remote Hacks

by Zak KillianTuesday, January 25, 2022, 04:58 PM EDT
cwp demo admin panel
If you're not a Linux sysadmin, you might not be familiar with Control Web Panel, but if you are a Linux sysadmin, you almost certainly are at least aware of the app. Control Web Panel, or CWP, is a free Linux control panel for various web services. It used to be called CentOS Web Panel, but these days it's supported on CentOS, Rocky Linux, Alma Linux, and Oracle.

Ethiopian security consulting service Octagon Networks found a flaw in CWP that is about as bad as it gets: remote code execution without authentication. That means anyone who can issue requests to your server can gain full remote code execution. This is, obviously, quite serious, so you can pause reading to go patch if you need to (and then go clean out your underpants.)

The vulnerability lies in a fault with the way CWP loads a certain PHP file. It has a basic mechanism to prevent users from ascending to the parent directory, but the mechanism isn't robust at all. As a result, a user can trivally craft a fuzzed request that allows them to force CWP to load files from outside of the otherwise-publicly-available directories.

example fuzzing code for cwp exploit
An example of the simple fuzzing required to beat the intrusion countermeasures.

Combining that "file inclusion" flaw with another "file write" vulnerability, an attacker can basically modify any file on the system, and given that ability, means that they can pretty much pwn the whole box remotely. It's basically just as bad as the Log4shell vulnerability found in Log4j back at the end of 2021, although that vulnerability affected hundreds of applications due to the widespread nature of that tool.

CWP may not be as ubiquitous as Log4j, but it's still quite common. Octagon's own research claims there were some 200,000 vulnerable servers at the time of its discovery, although BleepingComputer puts the number closer to 30,000. In either case, this is still a major vulnerability. In a bit of dark comedy, when Octagon first revealed the flaw to CWP's developers, they pushed out a simple one-line patch that did absolutely nothing to mitigate the flaw.

There's now a more proper fix out, though. The specific CVEs are CVE-2021-45467 for the file inclusion flaw, and CVE-2021-45466 for the file write vulnerability. To date Octagon has not released full example code for the exploits as there are still many vulnerable servers, but you can hit up the company's blog to read its more in-depth summary of the attack.
Tags:  Linux, security, exploit, control web panel
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment