Two Major Flaws in the Control Web Panel (CWP) Risks the Linux Server

Researchers uncovered two severe flaws in Control Web Panel (CWP), a prominent web hosting management program used by over 200K servers, that could enable root-level Remote Code Execution (RCE) on susceptible Linux systems. 

CWP, originally CentOS Web Panel, is an open-source Linux control panel software used to create and manage web hosting settings. The software is compatible with the major operating systems: CentOS, Rocky Linux, Alma Linux, and Oracle Linux.

According to Octagon’s report, the vulnerabilities are discovered in areas of the CWP panel that are exposed without authentication in the webroot. An attacker would need to change the include statement, which is used to copy the contents of one PHP file and paste it into another PHP file before the server executes it, exploits the vulnerability, injects malicious code from a remote resource, and performs code execution.

To do so, attackers must go beyond security measures that prohibit them from accessing the restricted API area without authentication. This can be done by registering an API key with the file inclusion vulnerability and generating a fake authorized keys directory on the server with the file write issue.

Although the CVE-2021-45467 file inclusion vulnerability was patched, Octagon researchers said that “Some managed to reverse the patch and target some systems.”