Full Report
Detect and mitigate CVE-2022-44877, a CentOS Control Web Panel (CWP) unauthenticated RCE exploited in the wild. Security teams are advised to patch urgently.
Analysis Summary
# Vulnerability: Critical RCE in Control Web Panel (CWP) via Unquoted Bash Command Execution
## CVE Details
- CVE ID: CVE-2022-44877
- CVSS Score: 9.8 (Critical)
- CWE: (Not explicitly mentioned, flaw relates to command injection)
## Affected Systems
- Products: Control Web Panel (CWP) / CentOS Web Panel
- Versions: Prior to version `0.9.8.1147`
- Configurations: Any unpatched installation. Exploitation runs with the privilege level of CWP (often `root` by default).
## Vulnerability Description
The vulnerability exists in unpatched versions of Control Web Panel (CWP). It allows an unauthenticated attacker to achieve Remote Code Execution (RCE) by leveraging an input flaw where logging incorrect entries allows for the execution of embedded Bash commands, specifically when double quotation marks are used in the input. Successful exploitation grants the attacker code execution rights with the same privileges as the CWP process, which is frequently `root`.
## Exploitation
- Status: Exploited in the wild (Mass exploitation observed since Jan 6, 2023)
- Complexity: Low (Due to unauthenticated RCE potential)
- Attack Vector: Network
## Impact
- Confidentiality: High (Remote command execution with root privileges)
- Integrity: High (Remote command execution with root privileges)
- Availability: High (Remote code execution)
## Remediation
### Patches
- Upgrade CWP to version `0.9.8.1147` or later.
### Workarounds
- No specific workarounds were detailed, but the primary recommendation is immediate patching. Monitoring for signs of unauthorized access is crucial given the active exploitation.
## Detection
- **Indicators of compromise (Observed Attackers):**
- `206.189.170.136`
- `185.117.73.208`
- `157.230.62.113`
- `180.183.132.35`
- **Detection methods and tools:** Monitor network traffic and system logs for successful exploitation patterns or connections originating from the malicious IP addresses listed above. Wiz customers can utilize the pre-built query in the Wiz Threat Center.
## References
- Vendor advisories: Fix available since October 25, 2022.
- Relevant links - defanged:
- hxxps[:]//gist.github[.]com/numanturle/c1e82c47f4cba24cff214e904c227386
- hxxps[:]//twitter[.]com/1ZRR4H/status/1613235576626372608
- hxxps[:]//www[.]bleepingcomputer[.]com/news/security/hackers-exploit-control-web-panel-flaw-to-open-reverse-shells/
- hxxps[:]//cloudsek[.]com/threatintelligence/poc-for-high-impact-rce-vulnerability-in-centos-web-panel-7-cve-2022-44877-increases-risk-of-attacks/
- hxxps[:]//thehackernews[.]com/2023/01/alert-hackers-actively-exploiting[.]html
- hxxps[:]//viz[.]greynoise[.]io/query/?gnql=tags%3A%22CentOS%20Web%20Panel%20RCE%20CVE-2022-44877%20Attempt%22