DIVD-2023-00003 - OS command injection in CentOS CWP
| Our reference | DIVD-2023-00003 |
| Case lead | Max van der Horst |
| Researcher(s) | |
| CVE(s) | |
| Product | CentOS Control Web Panel 7 |
| Versions |
|
| Recommendation | Upgrade to the latest version of CentOS CWP. |
| Status | Closed |
| Last modified | 08 Mar 2023 16:08 |
Summary
An unauthenticated OS Command Injection vulnerability has been identified inside CentOS CWP 7 before version 0.9.8.1147. The login/index.php endpoint contains a vulnerable parameter, allowing unauthenticated attackers to execute bash commands. Misuse of this vulnerability could lead to the compromise of your system.
What you can do
Upgrade your CentOS CWP version to the patched version of 0.9.8.1147 or 0.9.8.1149 (latest).
What we are doing
DIVD is currently working to identify vulnerable parties and notify these. We do this by scanning for exposed CWP instances and examining this instance to determine whether the vulnerability is present. Owners of vulnerable instances receive a notification with the host information and remediation steps.
Timeline
| Date | Description |
|---|---|
| 06 Jan 2023 | Proof of Concept published on Github |
| 11 Jan 2023 | DIVD starts research on this vulnerability. |
| 20 Jan 2023 | DIVD conducts first scan. |
| 12 Feb 2023 | DIVD sends first round of notifications. |
| 22 Feb 2023 | DIVD closes case. |
gantt
title DIVD-2023-00003 - OS command injection in CentOS CWP
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2023-00003 - OS command injection in CentOS CWP (42 days) :2023-01-11, 2023-02-22
section Events
Proof of Concept published on Github : milestone, 2023-01-06, 0d
DIVD starts research on this vulnerability. : milestone, 2023-01-11, 0d
DIVD conducts first scan. : milestone, 2023-01-20, 0d
DIVD sends first round of notifications. : milestone, 2023-02-12, 0d
DIVD closes case. : milestone, 2023-02-22, 0d