Control Web Panel Security Exploit Leaves 200K Linux Servers Vulnerable To Remote Hacks

cwp demo admin panel
If you're not a Linux sysadmin, you might not be familiar with Control Web Panel, but if you are a Linux sysadmin, you almost certainly are at least aware of the app. Control Web Panel, or CWP, is a free Linux control panel for various web services. It used to be called CentOS Web Panel, but these days it's supported on CentOS, Rocky Linux, Alma Linux, and Oracle.

Ethiopian security consulting service Octagon Networks found a flaw in CWP that is about as bad as it gets: remote code execution without authentication. That means anyone who can issue requests to your server can gain full remote code execution. This is, obviously, quite serious, so you can pause reading to go patch if you need to (and then go clean out your underpants.)

The vulnerability lies in a fault with the way CWP loads a certain PHP file. It has a basic mechanism to prevent users from ascending to the parent directory, but the mechanism isn't robust at all. As a result, a user can trivally craft a fuzzed request that allows them to force CWP to load files from outside of the otherwise-publicly-available directories.

example fuzzing code for cwp exploit
An example of the simple fuzzing required to beat the intrusion countermeasures.

Combining that "file inclusion" flaw with another "file write" vulnerability, an attacker can basically modify any file on the system, and given that ability, means that they can pretty much pwn the whole box remotely. It's basically just as bad as the Log4shell vulnerability found in Log4j back at the end of 2021, although that vulnerability affected hundreds of applications due to the widespread nature of that tool.

CWP may not be as ubiquitous as Log4j, but it's still quite common. Octagon's own research claims there were some 200,000 vulnerable servers at the time of its discovery, although BleepingComputer puts the number closer to 30,000. In either case, this is still a major vulnerability. In a bit of dark comedy, when Octagon first revealed the flaw to CWP's developers, they pushed out a simple one-line patch that did absolutely nothing to mitigate the flaw.

There's now a more proper fix out, though. The specific CVEs are CVE-2021-45467 for the file inclusion flaw, and CVE-2021-45466 for the file write vulnerability. To date Octagon has not released full example code for the exploits as there are still many vulnerable servers, but you can hit up the company's blog to read its more in-depth summary of the attack.