CVE-2023-42121: Critical Control Web Panel RCE Vulnerability

CVE-2023-42121

In the vast, intricate world of web hosting, the Control Web Panel (CWP) emerges as a beacon of relief for managing web servers and websites. With its user-friendly interface, expansive customization options, and compatibility with a wide array of Linux distributions such as AlmaLinux, CentOS, and Debian, it stands as a commendable alternative to its commercial counterparts like cPanel and Plesk. However, recent security vulnerabilities discovered in CWP could allow attackers to compromise CWP systems and gain access to sensitive data.

CVE-2023-42121

CVE-2023-42120 (ZDI-23-1477): Web Panel dns_zone_editor Command Injection Remote Code Execution Vulnerability

Embarking upon the vulnerabilities list, the CVE-2023-42120 uncovers a substantial chink in the armor. Exhibiting a CVSS score of 8.8, this vulnerability lays bare a flaw within the dns_zone_editor module, permitting remote attackers the capacity to execute arbitrary code on impacted Control Web Panel installations. Although exploiting this vulnerability mandates authentication, the absence of rigorous validation of a user-supplied string prior to its utilization for a system call stands as a glaring loophole. Attackers, exploiting this, gain the potential to execute code within the almighty context of root.

CVE-2023-42121 (ZDI-23-1478): Control Web Panel Missing Authentication Remote Code Execution Vulnerability

Segueing into the next vulnerability, CVE-2023-42121, we witness a more dire situation, mirrored by its towering CVSS score of 9.8. In this scenario, the absence of authentication before granting access to functionality within the web interface emerges as a critical flaw. This vulnerability eschews the necessity for authentication, thereby allowing remote attackers unbridled access to execute arbitrary code on affected installations of the Control Web Panel. Such an oversight in the implementation of authentication can result in execution in the context of a valid CWP user, exacerbating the potential damage manifold.

CVE-2023-42122 (ZDI-23-1479): Control Web Panel wloggui Command Injection Local Privilege Escalation Vulnerability

CWP’s security concerns do not conclude here, with CVE-2023-42122 further amplifying the distress. This vulnerability permits local attackers to amplify their privileges on impacted Control Web Panel installations. Despite the requirement for attackers to first attain the capability to execute low-privileged code on the target system, the flaw within the cwpsrv process stands out as a substantial threat. The inadequate validation of a user-supplied string before its use for executing a system call empowers attackers to augment privileges and execute code in the supreme context of root.

CVE-2023-42123 (ZDI-23-1476): Control Web Panel mysql_manager Command Injection Remote Code Execution Vulnerability

Concluding the vulnerabilities list, CVE-2023-42123 uncovers a significant flaw within the mysql_manager module, once again permitting remote attackers to execute arbitrary codes on the affected installations of CWP. This, much like the vulnerability within the dns_zone_editor, necessitates authentication for exploitation. The prevalent issue of inadequate user-supplied string validation before a system call execution re-emerges, leaving the door ajar for code execution in the context of root.

Security researcher Muhammad Ikhsanudin has been credited with discovering and reporting these flaws to the Control Web Panel developers via the Zero Day Initiative.

If you are using CWP, it is important to update to the latest version of the software as soon as possible to mitigate these security vulnerabilities.