Home / About / Threat Intelligence / Linux Servers at Risk of Remote Code Execution

Overview

Two flaws have been found in CWP, a web hosting management software that has been used by more than 200,000 servers. The flaws have allowed code execution as root on Linux servers.

Impact

The critical bugs could allow remote code execution on vulnerable Linux servers.

Products Affected

CentOS Web Panel which supports the following operating systems:

– CentOS
– Rocky Linux
– Alma Linux
– Oracle Linux

Containment, Mitigations & Remediation

Octagon will be releasing a full proof of concept for achieving the pre-authentication RCE once enough servers migrate to the latest version. For the time being servers must be updated to the latest version.

Indicators of Compromise

There are currently no IOCs.

Threat Landscape

The two vulnerabilities are tracked as a file inclusion vulnerability and a file write bug, and this can lead to RCE. Remote File Inclusion (RFI) and Local File Inclusion (LFI) are vulnerabilities that are often found in poorly-written web applications. These vulnerabilities occur when a web application allows the user to submit input into files or upload files to the server.

In this instance, to inject malicious code from a remote resource and execute the code, an attacker would simply need to alter the included statement that is used to insert the content of one PHP files into another PHP file, before the server executes it.

Octagon, who first reported on the vulnerability, will be releasing a full proof of concept for achieving the unauthenticated RCE once enough servers migrate to the latest version. However, in the meantime the simplicity and description of the attack is already being developed in the wild.

Mitre Methodologies

T1210 – Exploitation of Remote Services

Further Information

CVE-2021-45467: CWP CentOS Web Panel – preauth RCE