Unauthenticated attackers can use two security flaws in the Control Web Panel (CWP) software to get root privileges on susceptible Linux systems by chaining them together. CWP is a free Linux control panel for administering dedicated web hosting servers and virtual private servers. It was originally known as CentOS Web Panel.
Paulos Yibelo of Octagon Networks discovered two security flaws: a file inclusion vulnerability (CVE-2021-45467) and a file write vulnerability (CVE-2021-45466) that, when chained together, lead to RCE.
“CVE-2021-45467: beautiful breath root RCE chain I found on CentOS Web Panel servers by bypassing common PHP function used for LFI protection & file write bug. RCE seems extremely widespread, pls patch!!!!” Paulos Yibelo tweeted.
To summarize, effective exploitation necessitates circumventing security measures that prohibit attackers from accessing the restricted API portion without first obtaining authentication.
It may be accomplished by exploiting the file inclusion bug to register an API key and the file write flaw to create a malicious authorized_keys file on the server. Octagon Networks reports that while the CVE-2021-45467 file inclusion vulnerability was fixed, “some managed to reverse the patch and exploit some servers.”
After enough Linux servers running CWP are upgraded to the current version, the security researchers claimed they will disclose a proof-of-concept exploit for this pre-auth RCE chain. According to the developers, some of the most popular Linux operating systems are supported by CWP’s software: CentOS, Rocky Linux, Alma Linux, and Oracle Linux.
While the CWP website states that 30,000 servers are running CWP, BinaryEdge discovered nearly 80,000 Internet-exposed CWP servers. As per researchers who identified the pre-authentication RCE chain, there are more than 200,000 on Shodan and Censys.