Researchers have discovered that Control Web Panel (CWP), a popular web hosting management software, carried with it two flaws which, when chained together, lead to a remote code execution (RCE) vulnerability on certain Linux-powered servers.
A report from Octagon Networks researcher Paulos Yibelo details two vulnerabilities in CWP – CVE-2021-45467, and CVE-2021-45466. CWP supports CentOS, rocky Linux, Alma Linux, and Oracle Linux.
The blog post gets very technical on the vulnerabilities, but long story short – some parts of CWP panel are exposed, without authentication in the webroot.
Exposed
“Turns out, not a lot is exposed,” the blog post concludes.
Yibelo said the team will release a full Proof-of-Concept for red teams, that achieves preauth RCE, once enough servers migrate to the latest versions and thus mitigate the threat.
It's been a tough week for Linux fans, after researchers from Qualys also recently identified a decade-old “extremely severe” vulnerability affecting every major distro for the operating system (OS).
Mitigating high severity threats
The vulnerability, “hiding in plain sight” for more than 12 years, is a memory corruption in polkit’s pkexec.
As explained by the researchers, it’s an SUID-root program, installed by default. Malicious actors could exploit the bug to gain full root privileges on the target machine, and then do as they please – even install malware or ransomware.
Also recently, a high severity vulnerability was found in Ubuntu, allowing malicious actors to crash the system, or run software in administrator mode.
The vulnerability, tracked as CVE-2022-0185, allegedly affects all of the Ubuntu releases that are still being supported. That includes Ubuntu 21.10 Impish Indri with Linux kernel 5.13, Ubuntu 21.04 Hirsute Hippo with Linux kernel 5.11, Ubuntu 20.04 LTS Focal Fossa, and Ubuntu 18.04 LTS Bionic Beaver, both with Linux kernel 5.4 LTS.
As usual, admins are urged to update their systems to the latest version as soon as possible.
Via: ThreatPost
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba