centos exploit新闻报道

CentOS Exploit Recent News and Vulnerabilities (2025)

1. CentOS Web Panel (CWP) Remote Code Execution (CVE-2025-48703)

Critical unauthenticated RCE in CentOS Web Panel (CWP), a widely used free control panel for managing CentOS servers. The flaw stems from two key issues: an authentication bypass in the file management system (removing user identifiers from URLs allows access without credentials) and command injection in the t_total parameter (lacks input sanitization, enabling shell command execution via chmod calls). Attackers can exploit this by sending crafted curl requests with reverse shell payloads—no authentication or root access required.

• Impact: Over 200,000 CWP instances (running versions 0.9.8.1204/0.9.8.1188) are vulnerable, with potential for full system compromise, data theft, or use as pivot points for further attacks.
• Mitigation: Upgrade to CWP v0.9.8.1205 (released June 2025). Disable unused CWP modules and restrict access to the web panel via firewall rules.

2. Linux Kernel KSMBD Subsystem Denial of Service (CVE-2025-38501)

Vulnerability in the KSMBD (kernel-level SMB server) subsystem that allows unauthenticated remote attackers to exhaust server resources by sending thousands of incomplete TCP SYN requests. This denies legitimate SMB traffic (file sharing, authentication) by consuming all available connection slots.

• Impact: Affects Linux kernels 5.3+ (when KSMBD was merged into mainline). Critical for enterprises relying on SMB for file sharing.
• Mitigation: Upgrade to Linux 6.1.15+ or apply rate limiting to TCP 445 ports. Adjust KSMBD settings (reduce handshake_timeout, limit backlog connections).

3. Linux Kernel ETS Queue Rule Arbitrary Write (CVE-2025-21692)

Flaw in the Enhanced Transmission Selection (ETS) queue discipline (used for network bandwidth scheduling) that enables arbitrary kernel memory writes via a “use-after-free” condition. Attackers can exploit this to escalate privileges to root by constructing a reliable exploit chain using cross-cache attacks and heap spraying.

• Impact: Affects Linux kernels with ETS enabled (common in enterprise network environments).
• Mitigation: Apply kernel patches from maintainers (fix adds proper memory validation). Monitor network traffic for abnormal packet patterns.

4. libblockdev Local Privilege Escalation (CVE-2025-6019)

Vulnerability in libblockdev (a Linux block device management library) that omits the nosuid security flag when mounting partitions. This allows attackers with allow_active permissions (e.g., local users) to execute files with root privileges from mounted volumes.

• Impact: Affects Ubuntu, Debian, Fedora, openSUSE, and CentOS (via libblockdev integration). Exploitation requires local access but can lead to full system compromise.
• Mitigation: Upgrade libblockdev to versions that explicitly add nosuid and nodev flags during mount operations.

5. CentOS System Exploit Case Study (Brute Force & Backdoor)

Real-world attack on a CentOS server involving brute-force login, command replacement, and persistent backdoors. Attackers gained access by cracking weak SSH credentials, replaced the /usr/bin/ps command with a malicious ELF file to hide processes, and created a scheduled cron job (/root/shell.elf) to maintain persistence.

• Impact: Full root access, unauthorized command execution, and data exfiltration risks.
• Lessons Learned: Implement strong password policies, disable root SSH login, use key-based authentication, and monitor system logs for suspicious activity (e.g., unexpected process creation, file modifications).