Vulnerability With 9.8 Severity in Control Web Panel is Under Active Exploit (arstechnica.com) 24
Malicious hackers have begun exploiting a critical vulnerability in unpatched versions of the Control Web Panel, a widely used interface for web hosting. ArsTechnica reports: "This is an unauthenticated RCE," members of the Shadowserver group wrote on Twitter, using the abbreviation for remote code exploit. "Exploitation is trivial and a PoC published." PoC refers to a proof-of-concept code that exploits the vulnerability. The vulnerability is tracked as CVE-2022-44877. It was discovered by Numan Turle of Gais Cyber Security and patched in October in version 0.9.8.1147. Advisories didn't go public until earlier this month, however, making it likely some users still aren't aware of the threat.
Figures provided by Security firm GreyNoise show that attacks began on January 7 and have slowly ticked up since then, with the most recent round continuing through Wednesday. The company said the exploits are coming from four separate IP addresses located in the US, Netherlands, and Thailand. Shadowserver shows that there are roughly 38,000 IP addresses running Control Web Panel, with the highest concentration in Europe, followed by North America, and Asia. The severity rating for CVE-2022-44877 is 9.8 out of a possible 10. "Bash commands can be run because double quotes are used to log incorrect entries to the system," the advisory for the vulnerability stated. As a result, unauthenticated hackers can execute malicious commands during the login process.
Figures provided by Security firm GreyNoise show that attacks began on January 7 and have slowly ticked up since then, with the most recent round continuing through Wednesday. The company said the exploits are coming from four separate IP addresses located in the US, Netherlands, and Thailand. Shadowserver shows that there are roughly 38,000 IP addresses running Control Web Panel, with the highest concentration in Europe, followed by North America, and Asia. The severity rating for CVE-2022-44877 is 9.8 out of a possible 10. "Bash commands can be run because double quotes are used to log incorrect entries to the system," the advisory for the vulnerability stated. As a result, unauthenticated hackers can execute malicious commands during the login process.
Re: (Score:2)
Re:Prison Terms (Score:4, Informative)
Security vulnerabilities will happen. It should be criminal not to update software, companies not deploying updates/patches should be the ones prosecuted.
We can have this discussion as soon as companies are mandated to isolate security updates from other program updates. I can't tell you how many times there have been terrible, needless UI revamps, hardware compatibility depreciation, API/scripting functionality changes, or other workflow-breaking things that have been bundled in with security patches. Now, it's a matter of either causing known problems that are highly visible to everyone, or gambling that a vulnerability could possibly be exploited. The math isn't always black-and-white.
I remember several years ago, I had a Thinkpad with Windows 10 (Like, 2018 or so). It ran some software to run my intelligent lighting fixtures, and the day of an event I was using it for...it had an update. That update caused a boot loop and I couldn't control my lights for the event. That is the very outcome "security updates" are intended to protect against, right? I didn't install StopUpdates10 [greatis.com] for the very concerns described here, and yet, the update caused more problems than the vulnerability.
Similarly, I had a friend whose laptop came with Bitlocker enabled out of the box. The machine was given a firmware update as a part of the monthly patch cycle, and said friend didn't have the Bitlocker key, because they didn't know the function was enabled. So, firmware gets installed, and it trips the Bitlocker key request...so, my friend lost all his data. Again, exactly the sort of outcome "security updates" are intended to protect against, right?
A client at work uses a Mailcow server for their e-mail. They use Outlook on the desktops with the Activesync connector. Well, one update of the server, and Activesync broke for everyone and nobody was able to get their e-mail until the server was rolled back.
Now, A good amount of these things have been resolved, especially the Microsoft ones...and yes, we'll agree that there are some lazy sysadmins out there who just don't patch. However, at some point, there needs to be an honest conversation about the fact that "just update everything everywhere ever" is also a form of laziness. To the specific example in the article, the score is a smidge different because it's a part of a hosting service rather than internal infrastructure...but if we're going to talk about jail time for anyone involved, we have to address some of the underlying issues as to why sudo apt-get update wasn't run.
This is a multifaceted problem.
Re: (Score:3)
We can have this discussion as soon as companies are mandated to isolate security updates from other program updates. I can't tell you how many times there have been terrible, needless UI revamps, hardware compatibility depreciation, API/scripting functionality changes, or other workflow-breaking things that have been bundled in with security patches.
That's Windows for you. But there's a whole 'nother world of server software out there [linux.org] - one where this sort of thing doesn't really happen (at least to anyone who's not doing dumb stuff like putting Fedora on a server).
Linux LTS releases are a great thing.
Re: Prison Terms (Score:1)
The main and maybe the only negative about closed source is you don't know who is actually contributing to a given project. Plenty of closed source software have privileged people pushing open source upstream just on the strength of association in the private discussion. And it's hard to see downstream workflow in closed source.
Re: (Score:2)
We can have this discussion as soon as companies are mandated to isolate security updates from other program updates.
It's more complicated than it sounds. You often end up having to fork a branch from your release tag (they tag their release, right? ;) and backport anything needed for the security fix to that branch. As the number of releases and security only fixes rise, you may end up with several branches to maintain. It is done for critical and expensive software although...
also need min free update times for stuff like car (Score:2)
also need min free update times for stuff like cars.
So there is no your car is more then 3 years old and you need to buy an new car to get updates.
who cares (Score:1)
All user cares (Score:2)
Opensource fix quickly (Score:2)
criminnal negligence in software (Score:4, Interesting)
"Criminal"? Really? You want having a bug, especially an obscure one that goes undetected for many years, to be grounds for imprisonment?
Do you also believe that programmers should be licensed, like civil engineers? And that individuals should not be allowed to release software (only state-authorized firms)? Talk about software "freedom"!
Maybe a better idea would be for there to be organizations, some private and some sponsored by the government, to search, identify, and help mitigate software security bugs. And let the free market of ideas and money figure out how to evaluate the impact and value of the responses. Oh, wait -- we already have that. Which is why you're reading about this cPanel vulnerability.
That being said, it is obvious that modern civilization is always about a three weeks away from total collapse due to the fragility of the whole infrastructure's reliance on technology. (Not just software, but vulnerable software is everywhere in it.)
Re: (Score:2)
cPanel vulnerability
it's "control web panel", not "cpanel". ok, same crap, but different. maybe the problem starts when people without a clue about web security go on to administer web security, they obviously find these kind of tools very useful but ... still have no clue what they're sitting on. a web interface with access to administrator privilege, what could possibly go wrong?
i'm not saying web development can't be secured, tech has evolved a great deal. but it's hard and it's just a huge and complex attack surface which
software engineers != computer programmers (Score:2)
Do you also believe that programmers should be licensed, like civil engineers? And that individuals should not be allowed to release software (only state-authorized firms)? Talk about software "freedom"!
I do think that people who want to call themselves "software engineers" should be licensed, just like civil engineers. If a software engineer signs off on a piece of software, he is liable if it has flaws which cause it to fail.
Computer programmers who are not licensed can call themselves "computer programmers". They will be much less expensive than software engineers, but will not be liable if their software has flaws.
In band signalling considered harmful (Score:3, Insightful)
All the greatest sources of exploits for the last couple decades have been caused by using adverserial data with inputs with inband signalling.
Expecting developers to always sanitize inputs or keep out of band constraints (buffer length) in check with the inband signal (null termination) has proven to be a failed hope.
SQL, C strings, shell CGI, printf formatting, HTML, XML all fundamentally mismatched with human developers. If input can come from adverserial sources API's need blob interfaces, every string a length, no in band signalling (no special characters, no escape codes, no Null, no nothing).
Convenience is the antithesis of security (Score:2)
SSH is inconvenient for a reason. Well, okay, it's inconvenient for several reasons.
The more convenient that the method to access a system is, the less secure that it is. Inconvenience, however, doesn't equate to security, but it does introduce a lot of inertia, which humans seem to despise.
Re:Convenience is the antithesis of security (Score:4, Informative)
I don't find SSH particularly inconvenient...
In this case, the 'convenience' was a programmer for who the hell knows why putting shell in the stream of processing log data, including bad authentication. Further, not just putting shell in the stream, but passing a command string, rather than pre-parsed argv...
This is multiple failures of very basic mistakes being made.
Control Web Panel? (Score:3)
TFA claims it's "widely used" - is it, really? Not anything I've heard of (and certainly nothing I use).
Re: (Score:2)
A ton of web-hosting companies offer it up as the client interface to their low-budget infrastructure for newbie websites. You gotta look at this management software from those two different stakeholder perspectives and requirements. This ain't cool stuff for slashdot nerds that know how to host/serve better.
Re: (Score:2)
Even then, as a techie who isn't deeply rooted in the web hosting field, I've never heard of it either. Neither has Wikipedia, for that matter.
Which is not to slight the devs of this project. But it does make me wonder just how widely used it is. (Whereas if this was cPanel, for example, all hell on Earth would be breaking loose)
Re: (Score:2)
It seems to be a competitor to CPanel - which is the one I've heard of (but still, haven't used at all).
Time to start ... (Score:2)