Researchers have discovered that Control Web Panel (CWP), a popular web hosting management software, carried with it two flaws which, when chained together, lead to a remote code execution (RCE) vulnerability on certain Linux-powered servers.
A report from Octagon Networks researcher Paulos Yibelo details two vulnerabilities in CWP – CVE-2021-45467, and CVE-2021-45466. CWP supports CentOS, rocky Linux, Alma Linux, and Oracle Linux.
The blog post gets very technical on the vulnerabilities, but long story short – some parts of CWP panel are exposed, without authentication in the webroot.
“Turns out, not a lot is exposed,” the blog post concludes.
Yibelo said the team will release a full Proof-of-Concept for red teams, that achieves preauth RCE, once enough servers migrate to the latest versions and thus mitigate the threat.
Mitigating high severity threats
The vulnerability, “hiding in plain sight” for more than 12 years, is a memory corruption in polkit’s pkexec.
As explained by the researchers, it’s an SUID-root program, installed by default. Malicious actors could exploit the bug to gain full root privileges on the target machine, and then do as they please – even install malware or ransomware.
Also recently, a high severity vulnerability was found in Ubuntu, allowing malicious actors to crash the system, or run software in administrator mode.
The vulnerability, tracked as CVE-2022-0185, allegedly affects all of the Ubuntu releases that are still being supported. That includes Ubuntu 21.10 Impish Indri with Linux kernel 5.13, Ubuntu 21.04 Hirsute Hippo with Linux kernel 5.11, Ubuntu 20.04 LTS Focal Fossa, and Ubuntu 18.04 LTS Bionic Beaver, both with Linux kernel 5.4 LTS.
As usual, admins are urged to update their systems to the latest version as soon as possible.