Experts have warned that two vulnerabilities affecting the Control Web Panel (CWP, formerly CentOS Web Panel) could be chained together, giving unauthorized attackers the ability to remotely execute code (RCE) as root on vulnerable Linux servers.
Although the official CWP website claims that there are about 30,000 servers running CWP, Bleeping Computer found over 80,000 CWP servers on the Internet using BinaryEdge to search.
Two bugs were discovered by information security specialist Paulos Ybelo of Octagon Networks. The bugs are a file inclusion issue (CVE-2021-45467) and a file write issue (CVE-2021-45466), which together become an RCE vulnerability.
Exploitation of bugs requires bypassing security measures so that an attacker can access a protected section of the API without authentication. This can be achieved by registering an API key (using a file include error) and creating a malicious author_keys file on the server (using a write error).
While the CVE-2021-45467 issue has already been fixed, Octagon Networks says that the company’s specialists have seen how attackers managed to bypass the patches and attack vulnerable servers.
The researchers promise that they will release a PoC exploit as soon as a sufficient number of Linux servers with CWP on board are updated to the latest version.