A security researcher from Octagon Networks has recently disclosed a couple of critical vulnerabilities on CentOS‘s Control Web Panel. The two vulnerabilities tracked under CVE IDs CVE-2021-45466 & CVE-2021-45467 allow attackers to execute code remotely as root on vulnerable Linux servers. These critical vulnerabilities affect CentOS, Rocky Linux, Alma Linux, and Oracle Linux servers. Users of the Control Web Panel on the affected OS platforms are recommended to Fix the CVE-2021-45467 vulnerability. In this post, let’s see how to Fix CVE-2021-45467- A Remote Code Execution Vulnerability in Control Web Panel.
What Is Control Web Panel (CWP)?
Well, Control Web Panel is commonly known as CentOS Web Panel. It is an open-source Linux web hosting panel that gives you all the flexibility to effectively and efficiently manage your server and client. The software has been released for both free and pro users according to their needs. The software supports multiple Linux distributions, predominantly RedHat compatible Linux flavors. It supports CentOS, Rocky Linux, Alma Linux and Oracle Linux. You can visit their page for more details.
How To install Control Web Panel (CWP) On CentOS?
Installation process is very simple and straightforward. You need to follow these few commands to download and install Control Web Panel.
How to install Control Web Panel (CWP) on CentOS?
- Install EPEL repository
Use this command to install EPEL repository on CentOS:
$ sudo dnf install epel-release
- Install wget
Use this command to install wget utility on CentOS:
$ sudo dnf install wget -y
- Update CentOS repository
Use this command to update repository on CentOS:
$ sudo dnf update -y
- Reboot the server
Use this command to reboot the CentOS server:
- Install Control Web Panel (CWP) on CentOS
Change the directory to /usr/local/src
$ cd /usr/local/src
- Download the CWP package
Use this command to download the package using wget utility:
$ wget http://dl1.centos-webpanel.com/files/cwp-el8-latest
- Run this installation script to install CWP
Command to run the installation script:
$ sudo sh cwp-el8-latest
Summary Of CVE-2021-45466 And CVE-2021-45467:
The two vulnerabilities tracked under CVE IDs CVE-2021-45466 & CVE-2021-45467 collectively give attackers a way to perform unauthenticated remote code execution on the affected Linux servers.
CVE-2021-45467 is a file inclusion vulnerability, and CVE-2021-45466 is a file write vulnerability. An attacker will need to chain the two vulnerabilities to perform remote code execution on the victim. To exploit the vulnerabilities, an attacker needs to alter the include statement, which is used to insert the content of one PHP file into another PHP file before the server executes it.
According to the report, the actual issue arises when two of the unauthenticated PHP pages, “/user/login.php” and “/user/index.php” used in the application failed to adequately validate a path to a script file.
Octagon Network said that they are going to release PoC later once the major chunk of servers is upgraded to the latest version.
How To Fix CVE-2021-45467- A Remote Code Execution Vulnerability In Control Web Panel?
The vendor has released new updates in response to vulnerabilities. Please download the latest version of CWP from here.
In most of the cases no manual updates are required. CWP updates are scheduled using cronjobs. New version will get updated within 48 hours of the release. You can check the latest released version on our ChangeLog website.
If you want to force update you can do that by executing the following command.
$ sudo sh /usr/local/cwpsrv/htdocs/resources/scripts/update_cwp
$ sudo sh /scripts/update_cwp
We hope this post will help you know How to Fix CVE-2021-45467- A Remote Code Execution Vulnerability in Control Web Panel on CentOS server. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.