Two security vulnerabilities that impact the Control Web Panel (CWP) software can be chained by unauthenticated attackers to gain remote code execution (RCE) as root on vulnerable Linux servers.
The two security flaws found by Octagon Networks’ Paulos Yibelo are a file inclusion vulnerability (CVE-2021-45467) and a file write (CVE-2021-45466) bug that lead to RCE when chained together.
In short, successful exploitation requires bypassing security protections to prevent attackers from reaching the restricted API section without authentication.
This can be done by registering an API key using the file inclusion bug and creating a malicious authorized_keys file on the server using the file write flaw.
While the CVE-2021-45467 file inclusion vulnerability was patched, Octagon Networks says that they saw how “some managed to reverse the patch and exploit some servers.”
Octagon Networks says that, while the CVE-2021-45467 file inclusion vulnerability was patched, they saw how “some managed to reverse the patch and exploit some servers.”
The security researchers also said they would release a proof-of-concept exploit for this pre-auth RCE chain after enough Linux servers running CWP will get upgraded to the latest version.
According to CWP’s developers, their software supports the following operating systems: CentOS, Rocky Linux, Alma Linux, and Oracle Linux
While the CWP site claims that roughly 30,000 servers are running CWP, BleepingComputer found almost 80,000 Internet-exposed CWP servers on BinaryEdge.
Over 200,000 can also be found on Shodan and Censys, according to the researchers who discovered the pre-authentication RCE chain.