REMOTE CODE EXECUTION —

A spot was released successful October, but not each servers person installed it.

Dan Goodin - Jan 13, 2023 12:56 americium UTC

Getty Images

Malicious hackers person begun exploiting a captious vulnerability successful unpatched versions of the Control Web Panel, a wide utilized interface for web hosting.

“This is an unauthenticated RCE,” members of the Shadowserver radical wrote connected Twitter, utilizing the abbreviation for distant codification exploit. “Exploitation is trivial and a PoC published.” PoC refers to a proof-of-concept codification that exploits the vulnerability.

The vulnerability is tracked arsenic CVE-2022-44877. It was discovered by Numan Türle of Gais Cyber Security and patched successful October successful mentation 0.9.8.1147. Advisories didn’t spell nationalist until earlier this month, however, making it apt immoderate users inactive aren’t alert of the threat.

Figures provided by Security steadfast GreyNoise show that attacks began connected January 7 and person dilatory ticked up since then, with the astir caller circular continuing done Wednesday. The institution said the exploits are coming from 4 abstracted IP addresses located successful the US, Netherlands, and Thailand.

Shadowserver shows that determination are astir 38,000 IP addresses moving Control Web Panel, with the highest attraction successful Europe, followed by North America, and Asia.

The severity standing for CVE-2022-44877 is 9.8 retired of a imaginable 10. “Bash commands tin beryllium tally due to the fact that treble quotes are utilized to log incorrect entries to the system,” the advisory for the vulnerability stated. As a result, unauthenticated hackers tin execute malicious commands during the login process. The pursuing video demonstrates the travel of the exploit.

The vulnerability resides successful the /login/index.php constituent and resulted from CWP utilizing a faulty operation erstwhile logging incorrect entries, according to the Daily Swig. The operation is: echo "incorrect entry, IP address, HTTP_REQUEST_URI" >> /blabla/wrong.log. “Since the petition URI comes from the user, and arsenic you tin spot it is wrong treble quotes, it is imaginable to tally commands specified arsenic $(blabla), which is simply a bash feature,” Türle told the publication.

Given the easiness and severity of exploitation and the availability of moving exploit code, organizations utilizing Control Web Panel should guarantee they’re moving mentation 0.9.8.1147 oregon higher.