Author Topic: CVE-2021-45466  (Read 5139 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
CVE-2021-45466
« on: January 26, 2022, 02:58:48 PM »
Hello all!

After reading about the CVE-2021-45466 vulnerability, I did a cwp update to my servers. The problem is that in all servers, the update returns the following errors:

Code: [Select]
rm: cannot remove ‘/usr/local/cwpsrv/htdocs/admin/user/loader.php’: Permission denied
rm: cannot remove ‘/usr/local/cwpsrv/htdocs/admin/user/index.php’: Permission denied
rm: cannot remove ‘/usr/local/cwpsrv/htdocs/admin/user/design’: Permission denied

Since these files are the vulnerable ones, should I delete them manually or am I going to break something?

All servers are running on CentOS 7.9.2009 with CWPpro version: 0.9.8.1122.

Thanks in advance,

Vassilis

Offline
*
Re: CVE-2021-45466
« Reply #1 on: January 26, 2022, 05:12:43 PM »
I think that is ok remove these files because the remove command is part of the update script, but the problem is that you can't remove these files in File Manager or via SSH using RM command... and I tried remove logged as root and using the command SUDO.

If you know how we can remove these files... will help.

[]'s

Offline
***
Re: CVE-2021-45466
« Reply #2 on: January 26, 2022, 07:16:10 PM »
can you post here the permissions and attributes these files has?
Use
ls -all filename
and this:
lsattr filename

Offline
***
Re: CVE-2021-45466
« Reply #3 on: January 26, 2022, 07:22:37 PM »
can you post here the permissions and attributes these files has?
Use
ls -all filename
and this:
lsattr filename

I just checked myself. They are locked. You cant delete them even with root and sudo, unless you remove the lock attribute, with root or the owner of the file.

Do I need to delete these files on my server?

Also, can someone tell my why people keep saying that CWP is open source when everything is encrypted with IonCube? How do several sites talking about this CVE show the decrypted content of these files?
« Last Edit: January 26, 2022, 07:25:29 PM by iraqiboy90 »

Offline
***
Re: CVE-2021-45466
« Reply #4 on: January 26, 2022, 07:55:30 PM »
How can I check if I have been targeted by this?

Offline
*
Re: CVE-2021-45466
« Reply #5 on: January 27, 2022, 07:43:08 AM »
If you know how we can remove these files... will help.

I was thinking of connecting to the server through the emergency console and delete the files. I can't think of some other way.

Anyway, before we take any actions, I think that the developers should give us an answer to this.

Offline
***
Re: CVE-2021-45466
« Reply #6 on: January 27, 2022, 10:48:10 AM »
If you know how we can remove these files... will help.

I was thinking of connecting to the server through the emergency console and delete the files. I can't think of some other way.

Anyway, before we take any actions, I think that the developers should give us an answer to this.

You can delete the files with:
To unlock the file:
Code: [Select]
chattr -i fileTo delete:
Code: [Select]
rm file
but dont do it yet. I'm waiting for the devs to say something as well

Offline
*****
Re: CVE-2021-45466
« Reply #7 on: January 27, 2022, 02:52:54 PM »
Already fixed and you didn't need to  do anything just stay updated (CWP)

Offline
*
Re: CVE-2021-45466
« Reply #8 on: January 27, 2022, 03:12:42 PM »
Already fixed and you didn't need to  do anything just stay updated (CWP)

Nothing changed... the error in update_cwp script persist when it try remove these files.

« Last Edit: January 27, 2022, 03:44:28 PM by ehstbr »

Offline
*****
Re: CVE-2021-45466
« Reply #9 on: January 29, 2022, 11:29:03 AM »
this shouldn't do any harm