These critical security bugs put Linux servers at risk of attack

News
By
published

Admins urged to patch Linux systems immediately

Close up of the Linux penguin.
(Image credit: Linux)

Researchers have discovered that Control Web Panel (CWP), a popular web hosting management software, carried with it two flaws which, when chained together, lead to a remote code execution (RCE) vulnerability on certain Linux-powered servers.

A report from Octagon Networks researcher Paulos Yibelo details two vulnerabilities in CWP - CVE-2021-45467, and CVE-2021-45466. CWP supports CentOS, rocky Linux, Alma Linux, and Oracle Linux.

The blog post gets very technical on the vulnerabilities, but long story short - some parts of CWP panel are exposed, without authentication in the webroot. 

Exposed

“Turns out, not a lot is exposed,” the blog post concludes. 

Yibelo said the team will release a full Proof-of-Concept for red teams, that achieves preauth RCE, once enough servers migrate to the latest versions and thus mitigate the threat. 

It's been a tough week for Linux fans, after researchers from Qualys also recently identified a decade-old “extremely severe” vulnerability affecting every major distro for the operating system (OS).

Mitigating high severity threats

The vulnerability, “hiding in plain sight” for more than 12 years, is a memory corruption in polkit’s pkexec. 

As explained by the researchers, it’s an SUID-root program, installed by default. Malicious actors could exploit the bug to gain full root privileges on the target machine, and then do as they please - even install malware or ransomware

Read More

> This easily exploitable bug affects all Linux distros

> Ubuntu has a pretty serious security flaw, so patch now

> Malware targeting Linux systems hit a new high in 2021

Also recently, a high severity vulnerability was found in Ubuntu, allowing malicious actors to crash the system, or run software in administrator mode. 

The vulnerability, tracked as CVE-2022-0185, allegedly affects all of the Ubuntu releases that are still being supported. That includes Ubuntu 21.10 Impish Indri with Linux kernel 5.13, Ubuntu 21.04 Hirsute Hippo with Linux kernel 5.11, Ubuntu 20.04 LTS Focal Fossa, and Ubuntu 18.04 LTS Bionic Beaver, both with Linux kernel 5.4 LTS.

As usual, admins are urged to update their systems to the latest version as soon as possible.

Via: ThreatPost

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Top WordPress plugins found to have some serious security flaws, so make sure you're protected
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Top file synchronization tool Rsync security flaws mean up to 660,000 servers possibly affected
WordPress
Another top WordPress plugin found carrying critical security flaws
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
The best free firewall
Sophos hotfixes remote code execution vulnerabilities in Firewall
Latest in Security
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
Major ransomware attack sees Tata Technologies hit - 1.4TB dataset with over 730,000 files allegedly stolen
Security
Broadcom releases fixes for multiple VMware security flaws
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Latest in News
Philips Hue lights being dimmed
Got Philips Hue lights? A free app update delivers these 3 improvements
iPad Air M3
The new iPad Air M3 is good value – but I’d still buy this iPad Pro model instead
Samsung Galaxy Z Fold 6
Samsung shows off a creaseless folding phone display – and it improves on the Galaxy Z Fold 6 design in 3 key ways
A piece of paper with the words 'an HBO Original film' on it next to a pile of snow
Jesse Armstrong’s next HBO Original sounds like another Succession-style satire starring Steve Carrell and Jason Schwartzman
The Samsung Galaxy Ring in Titanium Silver
A future Samsung Galaxy Ring could have a feature to stop you burning yourself on your morning coffee
The maps feature of the Strava app open on an iPhone 15 Pro
Strava does a u-turn as users are allowed to post external links again
More about security
Security

Broadcom releases fixes for multiple VMware security flaws
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."

Major ransomware attack sees Tata Technologies hit - 1.4TB dataset with over 730,000 files allegedly stolen
Samsung Galaxy Z Fold 6

Samsung shows off a creaseless folding phone display – and it improves on the Galaxy Z Fold 6 design in 3 key ways
See more latest
Most Popular
Samsung Galaxy Z Fold 6
Samsung shows off a creaseless folding phone display – and it improves on the Galaxy Z Fold 6 design in 3 key ways
Business software
Microsoft unveils even more AI agents - this time to help you clinch that big sale
Philips Hue lights being dimmed
Got Philips Hue lights? A free app update delivers these 3 improvements
iPad Air M3
The new iPad Air M3 is good value – but I’d still buy this iPad Pro model instead
A piece of paper with the words 'an HBO Original film' on it next to a pile of snow
Jesse Armstrong’s next HBO Original sounds like another Succession-style satire starring Steve Carrell and Jason Schwartzman
A collage image of Foggy Nelson sitting at a table and a close-up of Muse in Daredevil: Born Again
Daredevil: Born Again viewers have two wild fan theories about Foggy Nelson and Muse after the Marvel TV show's debut, but I think there's only one that might be right
The Samsung Galaxy Ring in Titanium Silver
A future Samsung Galaxy Ring could have a feature to stop you burning yourself on your morning coffee
Microsoft
Microsoft hits back against UK competition lawsuits, slams AWS and Google once again
Android Auto
Android Auto is about to get a big Gemini upgrade – and there's good news and bad news
The maps feature of the Strava app open on an iPhone 15 Pro
Strava does a u-turn as users are allowed to post external links again