How To Fix CVE-2021-45467- A Remote Code Execution Vulnerability In Control Web Panel

A security researcher from Octagon Networks has recently disclosed a couple of critical vulnerabilities on CentOS‘s Control Web Panel. The two vulnerabilities tracked under CVE IDs CVE-2021-45466 & CVE-2021-45467 allow attackers to execute code remotely as root on vulnerable Linux servers. These critical vulnerabilities affect CentOS, Rocky Linux, Alma Linux, and Oracle Linux servers. Users of the Control Web Panel on the affected OS platforms are recommended to Fix the CVE-2021-45467 vulnerability. In this post, let’s see how to Fix CVE-2021-45467- A Remote Code Execution Vulnerability in Control Web Panel.

What Is a Control Web Panel (CWP)?

Well, Control Web Panel is commonly known as CentOS Web Panel. It is an open-source Linux web hosting panel that gives you all the flexibility to effectively and efficiently manage your server and client. The software has been released for both free and pro users according to their needs. The software supports multiple Linux distributions, predominantly RedHat-compatible Linux flavors. It supports CentOS, Rocky Linux, Alma Linux, and Oracle Linux. You can visit their page for more details.

How To Install Control Web Panel (CWP) On CentOS?

The installation process is very simple and straightforward. You need to follow these few commands to download and install Control Web Panel.

Step 1. Install EPEL repository

Use this command to install the EPEL repository on CentOS:


$ sudo dnf install epel-release

Step 2. Install wget

Use this command to install the wget utility on CentOS:


$ sudo dnf install wget -y

Step 3. Update CentOS repository

Use this command to update the repository on CentOS:


$ sudo dnf update -y

Step 4. Reboot the server

Use this command to reboot the CentOS server:


$ reboot

Step 5. Install Control Web Panel (CWP) on CentOS

Change the directory to /usr/local/src


$ cd /usr/local/src

Step 6. Download the CWP package

Use this command to download the package using wget utility:


$ wget http://dl1.centos-webpanel.com/files/cwp-el8-latest

Step 7. Run this installation script to install CWP

Command to run the installation script:


$ sudo sh cwp-el8-latest

Summary Of CVE-2021-45466 And CVE-2021-45467:

The two vulnerabilities tracked under CVE IDs CVE-2021-45466 & CVE-2021-45467 collectively give attackers a way to perform unauthenticated remote code execution on the affected Linux servers.

CVE-2021-45467 is a file inclusion vulnerability, and CVE-2021-45466 is a file write vulnerability. An attacker will need to chain the two vulnerabilities to perform remote code execution on the victim. To exploit the vulnerabilities, an attacker needs to alter the included statement, which is used to insert the content of one PHP file into another PHP file before the server executes it.

According to the report, the actual issue arises when two of the unauthenticated PHP pages, “/user/login.php” and “/user/index.php” used in the application failed to adequately validate a path to a script file.

Octagon Network said that they are going to release PoC later once the major chunk of servers is upgraded to the latest version.

How To Fix CVE-2021-45467- A Remote Code Execution Vulnerability In Control Web Panel?

The vendor has released new updates in response to vulnerabilities. Please download the latest version of CWP from here.

In most of the cases, no manual updates are required. CWP updates are scheduled using cronjobs. The new version will get updated within 48 hours of the release. You can check the latest released version on our ChangeLog website.

If you want to force an update you can do that by executing the following command.

$ sudo sh /usr/local/cwpsrv/htdocs/resources/scripts/update_cwp

Or

$ sudo sh /scripts/update_cwp

We hope this post helps you know How to Fix CVE-2021-45467- A Remote Code Execution Vulnerability in Control Web Panel on CentOS server. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.