Getty Images
Malicious hackers are exploiting a critical vulnerability in unpatched versions of the Control Web Panel, a common web hosting interface.
“This is an unauthenticated RCE,” members of the Shadowserver group wrote on Twitter, using the abbreviation for remote code exploit. “Exploitation is trivial and a PoC has been published.” PoC refers to a proof-of-concept code that exploits the vulnerability.
The vulnerability is tracked as CVE-2022-44877. It was discovered by Gais Cyber Security’s Numan Türle and patched in version 0.9.8.1147 in October. However, advisories were only made public earlier this month, making it likely that some users are still unaware of the threat.
Figures from security firm GreyNoise show that attacks began on Jan. 7 and have slowly increased since then, with the most recent round continuing through Wednesday. The company said the exploits come from four separate IP addresses in the US, the Netherlands and Thailand.
Shadowserver shows that there are about 38,000 IP addresses running on Control Web Panel, with the highest concentration in Europe, followed by North America and Asia.
The severity rating for CVE-2022-44877 is 9.8 out of a possible 10. “Bash commands can be executed because double quotes are used to log incorrect entries into the system,” the vulnerability advisory reads. As a result, unauthenticated hackers can execute malicious commands during the login process. The following video demonstrates the flow of the exploit.
Centos Web Panel 7 Unverified Remote Code Execution – CVE-2022-44877
The vulnerability resides in the /login/index.php component and results from CWP using a faulty structure when logging incorrect entries, according to the Daily Swig. The structure is: echo "incorrect entry, IP address, HTTP_REQUEST_URI" >> /blabla/wrong.log. “Since the request URI comes from the user and as you can see it’s enclosed in double quotes, it’s possible to run commands like $(blabla) which is a bash function,” Türle told the publication.
Given the ease and severity of exploitation and the availability of working exploit code, organizations using Control Web Panel should ensure they are running version 0.9.8.1147 or later.
