The well-known and widely used Web Hosting Control Web Panel (CWP) has a critical security vulnerability from 9.8 to CVSSv3.1. Attackers can install shells on the server or collect and extract information.
On January 3, 2023, IT security researcher Numan Türle from Gais Cyber Security published a proof of concept for a vulnerability in the server management software Control Web Panel (CWP) - formerly CentOS Web Panel. The vulnerability allows a remote, unauthenticated attacker to execute code on the affected system based on a lack of input neutralization. The disclosure of the information followed a completed vulnerability coordination process that Türle initiated at the manufacturer last October.
With 9.8 after CVSSv3.1 as "critical" vulnerability
According to the Common Vulnerability Scoring System, the vulnerability is classified as "critical" with a value of 9.8 (CVSSv3.1). The vulnerability is listed under the number CVE-2022-44877 in the Common Vulnerabilities and Exposures. Attempts to attack vulnerable systems were already taking place a few days after publication. Various approaches of the attackers were observed. Among other things, shells were installed on the servers, and in some cases the attacks were limited to the collection of information.
The widespread use of CWP, the present proof of concept and the comparatively simple exploitability of the vulnerability mean that the probability of a cyber attack must currently be assessed as very high. Even if the attackers sometimes limit themselves to gathering information, the knowledge gained could be used to prepare subsequent attacks.
Update has been available for a long time
The developers of Control Web Panel released an update on October 25, 2022 that closes the vulnerability. IT security officers should check and install at least this update or a newer version (version 0.9.8.1148) as soon as possible. At the same time, log files should be checked to detect attempts to attack that have already taken place. Tips can be, for example, changes made to the system or access from suspicious IP addresses. Further information on the detection of security-relevant events can be found in IT-Grundschutz.
More at BSI.bund.de
About the Federal Office for Information Security (BSI) The Federal Office for Information Security (BSI) is the federal cyber security authority and the creator of secure digitization in Germany. The guiding principle: As the federal cyber security authority, the BSI designs information security in digitization through prevention, detection and reaction for the state, economy and society.