How can we help?
Two flaws have been found in CWP, a web hosting management software that has been used by more than 200,000 servers. The flaws have allowed code execution as root on Linux servers.
The critical bugs could allow remote code execution on vulnerable Linux servers.
CentOS Web Panel which supports the following operating systems:
– Rocky Linux
– Alma Linux
– Oracle Linux
Containment, Mitigations & Remediation
Octagon will be releasing a full proof of concept for achieving the pre-authentication RCE once enough servers migrate to the latest version. For the time being servers must be updated to the latest version.
Indicators of Compromise
There are currently no IOCs.
The two vulnerabilities are tracked as a file inclusion vulnerability and a file write bug, and this can lead to RCE. Remote File Inclusion (RFI) and Local File Inclusion (LFI) are vulnerabilities that are often found in poorly-written web applications. These vulnerabilities occur when a web application allows the user to submit input into files or upload files to the server.
In this instance, to inject malicious code from a remote resource and execute the code, an attacker would simply need to alter the included statement that is used to insert the content of one PHP files into another PHP file, before the server executes it.
Octagon, who first reported on the vulnerability, will be releasing a full proof of concept for achieving the unauthenticated RCE once enough servers migrate to the latest version. However, in the meantime the simplicity and description of the attack is already being developed in the wild.
T1210 – Exploitation of Remote Services