Earlier this year, researchers at Immersive Labs responsibly disclosed several vulnerabilities in Centos Web Panel, which was recently rebranded as Control Web Panel (CWP).
The vulnerabilities we found allowed malicious actors to take over accounts and run commands as root on vulnerable servers. There were hundreds of thousands of them online – millions of websites could have been affected.
Fully patched and totally safe now, MITRE assigned the following CVEs for the vulnerabilities we reported:
CVE-2022-25046: Path traversal vulnerability leading to remote code execution (RCE)CVE-2022-25047: Account hijack via the password reset tokenCVE-2022-25048: As a standard user execute commands in the context of root
What is CWP?
CWP is a shared hosting platform built to run on CentOS servers. It’s shared hosting services mean that even a single web server running CWP can host many websites.
The server operator creates standard user accounts for each new customer – effectively giving them their own slice of the resources on the shared server.
As with most things, there are pros and cons to this sort of setup. The positive aspect is the financial benefit; monthly running costs for both the operator and the customer are low because a single server is capable of running thousands of websites.
The downsides are that if the single host goes down, so too does every website it hosts. Even more concerning however, is that if the main host gets compromised, so will every account that’s provisioned on the server.
Shodan shows there are approximately 185,000 active CWP servers on the internet. Each one likely runs between 10 and 100 websites, meaning any vulnerability on the underlying server software could impact millions of individual websites.
CWP caters to personal and small business accounts rather than large enterprises. But a wide “watering hole” attack would still have a fairly large potential threat surface.
Attackers exploiting these vulnerabilities at scale could…