Yikes, Control Web Panel has Critical RCE — Patch NOW
Linanto’s popular web hosting control panel, CWP, has a nasty flaw. It’s easily exploitable—in fact, it’s being exploited right now.
The bug allows scrotes to open a remote shell from a simple HTTP request. Yet Linanto has known about it for almost three months. And we’re only hearing about it now because the researcher who found it issued an advisory.
It’s a 9.8 on the 10-point CVSS scale. In today’s SB Blogwatch, we’re surprised it’s not a perfect 10.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The sweet, sweet sound of getting off my lawn.
CWP RCE CVE POC BBQ
What’s the craic? Adam Bannister reports—“Exploit drops for remote code execution bug in Control Web Panel”:
“Execute arbitrary system commands via crafted HTTP requests”
A pre-authentication remote code execution (RCE) exploit has landed for … CWP, formerly CentOS Web Panel … a free-to-use, Linux control panel with roughly 200,000 servers in active use. The corresponding vulnerability in CWP 7 was patched and then released in version 0.9.8.1147 on October 25.
…
Turkish infosec outfit Gais Security … disclosed technical details and requested a CVE after receiving assurances that a sufficient number of servers had been updated to the patched version. The flaw has now been designated as CVE-2022-44877. [It] allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.
Yikes. Why so slow? Dan Goodin adds—“A patch was released in October, but not all servers have installed it”:
“9.8 out of a possible 10”
It was … patched in October in version 0.9.8.1147. Advisories didn’t go public until earlier this month, however, making it likely some users still aren’t aware of the threat.
…
Attacks began on January 7 and have slowly ticked up since then. … The exploits are coming from four separate IP addresses located in the US, Netherlands, and Thailand.
…
The severity rating … is 9.8 out of a possible 10. … Unauthenticated hackers can execute malicious commands during the login process. … Given the ease and severity of exploitation and the availability of working exploit code, organizations using Control Web Panel should ensure they’re running version 0.9.8.1147 or higher.
Did you say 200,000 servers in use? Ionut Ilascu begs to differ—“Hackers exploit Control Web Panel flaw to open reverse shells”:
“Hackers are using the exploit”
CloudSek … ran a search for CWP servers on the Shodan platform and found more than 400,000 CWP instances accessible over the internet. … Administrators should take immediate action.
…
Leveraging CVE-2022-44877 is easy and with exploit code already public, all hackers have to do is find vulnerable targets, a menial task. … It appears that all these exploitation attempts are based on the original public PoC.
…
In some attacks, the hackers are using the exploit to start a reverse shell. The encoded payloads convert to Python commands that call the attacker’s machine and spawn a terminal on the vulnerable host using the Python pty Module.
Horse’s mouth? Numan Türle—“Control Web Panel 7 Remote Code Execution”:
Control Web Panel 7 versions prior to 0.9.8.1147 suffer from an unauthenticated remote code execution vulnerability. … Bash commands can be run because double quotes are used to log incorrect entries to the system.
I’m sorry? Appending to a log using a shell escape? How does that happen? Mongo McMongo makes a wild guess:
My wild guess: coder Googled for “append to file” and got a result showing the “>>” shell redirection, then bumbled into using a shell invocation to make it work. To be fair in some environments appending is a slight PITA—e.g., need to explicitly seek to end as well as opening in “w+”, etc.
And of course the shell approach “just worked” and “I’ll add a story for fixing it later.” Story will of course be lowest priority and gets WONTFIX … months later in the routine defect scrub.
How come it took nearly three months? u/HanaBothWays has heard this song before:
“Patch released way back when, but not applied to all the things,” is eternal.
What can we learn? Shavano gets pedagogical:
This is why you might want to think twice about using admin and development tools written by amateurs. 100% of inexperienced developers make blunders like that. They’re just a little less likely to pass code review or QA in professional software development organizations.
Are there still professional software development organizations?
Meanwhile, what’s a CWP user to do if they can’t upgrade? zack822 offers advice:
AAPanel has worked great for me.
And Finally:
Oona Räisänen’s The Sound Of The Dialup, but animated
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Dan Meyers (via Unsplash; leveled and cropped)
