Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Technology

Vulnerability With 9.8 Severity in Control Web Panel is Under Active Exploit (arstechnica.com) 24

Malicious hackers have begun exploiting a critical vulnerability in unpatched versions of the Control Web Panel, a widely used interface for web hosting. ArsTechnica reports: "This is an unauthenticated RCE," members of the Shadowserver group wrote on Twitter, using the abbreviation for remote code exploit. "Exploitation is trivial and a PoC published." PoC refers to a proof-of-concept code that exploits the vulnerability. The vulnerability is tracked as CVE-2022-44877. It was discovered by Numan Turle of Gais Cyber Security and patched in October in version 0.9.8.1147. Advisories didn't go public until earlier this month, however, making it likely some users still aren't aware of the threat.

Figures provided by Security firm GreyNoise show that attacks began on January 7 and have slowly ticked up since then, with the most recent round continuing through Wednesday. The company said the exploits are coming from four separate IP addresses located in the US, Netherlands, and Thailand. Shadowserver shows that there are roughly 38,000 IP addresses running Control Web Panel, with the highest concentration in Europe, followed by North America, and Asia. The severity rating for CVE-2022-44877 is 9.8 out of a possible 10. "Bash commands can be run because double quotes are used to log incorrect entries to the system," the advisory for the vulnerability stated. As a result, unauthenticated hackers can execute malicious commands during the login process.

This discussion has been archived. No new comments can be posted.

Vulnerability With 9.8 Severity in Control Web Panel is Under Active Exploit

Comments Filter:
  • who cares, this is just the first you *noticed*
  • Ty, /., to raise awareness (and contribute to prioritization)
  • by cstacy ( 534252 ) on Friday January 13, 2023 @10:58AM (#63205778)

    "Criminal"? Really? You want having a bug, especially an obscure one that goes undetected for many years, to be grounds for imprisonment?

    Do you also believe that programmers should be licensed, like civil engineers? And that individuals should not be allowed to release software (only state-authorized firms)? Talk about software "freedom"!

    Maybe a better idea would be for there to be organizations, some private and some sponsored by the government, to search, identify, and help mitigate software security bugs. And let the free market of ideas and money figure out how to evaluate the impact and value of the responses. Oh, wait -- we already have that. Which is why you're reading about this cPanel vulnerability.

    That being said, it is obvious that modern civilization is always about a three weeks away from total collapse due to the fragility of the whole infrastructure's reliance on technology. (Not just software, but vulnerable software is everywhere in it.)

    • by znrt ( 2424692 )

      cPanel vulnerability

      it's "control web panel", not "cpanel". ok, same crap, but different. maybe the problem starts when people without a clue about web security go on to administer web security, they obviously find these kind of tools very useful but ... still have no clue what they're sitting on. a web interface with access to administrator privilege, what could possibly go wrong?

      i'm not saying web development can't be secured, tech has evolved a great deal. but it's hard and it's just a huge and complex attack surface which

    • Do you also believe that programmers should be licensed, like civil engineers? And that individuals should not be allowed to release software (only state-authorized firms)? Talk about software "freedom"!

      I do think that people who want to call themselves "software engineers" should be licensed, just like civil engineers. If a software engineer signs off on a piece of software, he is liable if it has flaws which cause it to fail.

      Computer programmers who are not licensed can call themselves "computer programmers". They will be much less expensive than software engineers, but will not be liable if their software has flaws.

  • by Pinky's Brain ( 1158667 ) on Friday January 13, 2023 @11:19AM (#63205850)

    All the greatest sources of exploits for the last couple decades have been caused by using adverserial data with inputs with inband signalling.

    Expecting developers to always sanitize inputs or keep out of band constraints (buffer length) in check with the inband signal (null termination) has proven to be a failed hope.

    SQL, C strings, shell CGI, printf formatting, HTML, XML all fundamentally mismatched with human developers. If input can come from adverserial sources API's need blob interfaces, every string a length, no in band signalling (no special characters, no escape codes, no Null, no nothing).

  • SSH is inconvenient for a reason. Well, okay, it's inconvenient for several reasons.

    The more convenient that the method to access a system is, the less secure that it is. Inconvenience, however, doesn't equate to security, but it does introduce a lot of inertia, which humans seem to despise.

    • by Junta ( 36770 ) on Friday January 13, 2023 @01:34PM (#63206304)

      I don't find SSH particularly inconvenient...

      In this case, the 'convenience' was a programmer for who the hell knows why putting shell in the stream of processing log data, including bad authentication. Further, not just putting shell in the stream, but passing a command string, rather than pre-parsed argv...

      This is multiple failures of very basic mistakes being made.

  • by 93 Escort Wagon ( 326346 ) on Friday January 13, 2023 @12:24PM (#63206064)

    TFA claims it's "widely used" - is it, really? Not anything I've heard of (and certainly nothing I use).

    • A ton of web-hosting companies offer it up as the client interface to their low-budget infrastructure for newbie websites. You gotta look at this management software from those two different stakeholder perspectives and requirements. This ain't cool stuff for slashdot nerds that know how to host/serve better.

      • Even then, as a techie who isn't deeply rooted in the web hosting field, I've never heard of it either. Neither has Wikipedia, for that matter.

        Which is not to slight the devs of this project. But it does make me wonder just how widely used it is. (Whereas if this was cPanel, for example, all hell on Earth would be breaking loose)

  • ... editing your Apache config files by hand.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (1) Gee, I wish we hadn't backed down on 'noalias'.

Working...