CWP bugs allow code execution as root on Linux servers, patch now

LASER_oneXM

Level 37
Thread author
Verified
Top poster
Well-known
Feb 4, 2016
2,519
Two security vulnerabilities that impact the Control Web Panel (CWP) software can be chained by unauthenticated attackers to gain remote code execution (RCE) as root on vulnerable Linux servers.
CWP, previously known as CentOS Web Panel, is a free Linux control panel for managing dedicated web hosting servers and virtual private servers.

The two security flaws found by Octagon Networks' Paulos Yibelo are a file inclusion vulnerability (CVE-2021-45467) and a file write (CVE-2021-45466) bug that lead to RCE when chained together.
In short, successful exploitation requires bypassing security protections to prevent attackers from reaching the restricted API section without authentication.

This can be done by registering an API key using the file inclusion bug and creating a malicious authorized_keys file on the server using the file write flaw.
While the CVE-2021-45467 file inclusion vulnerability was patched, Octagon Networks says that they saw how "some managed to reverse the patch and exploit some servers."