We have received a note from cPanel that they have released new builds for all WHM/cPanel public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
cPanel has rated these updates as having CVSSv2 scores ranging from 2.1 to 10.0.
Information on cPanel's security ratings is available at http://go.cpanel.net/securitylevels.
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES
The following cPanel & WHM versions address all known vulnerabilities:
11.54.0.4 & Greater
11.52.2.4 & Greater
11.50.4.3 & Greater
11.48.5.2 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.
SECURITY ISSUE INFORMATION
The cPanel security team identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.
Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 20 vulnerabilities in cPanel & WHM software versions 11.54, 11.52, 11.50, and 11.48.
WHAT YOU NEED TO DO
We advise customers running WHM/cPanel on their servelets to update to the latest versions within the update tiers as soon as possible. If you configure WHM/cPanel automated update, your WHM/cPanel might have already updated automatically. However, if WHM/cPanel automated update is not configured, you need to login to your WHM control panel and perform the update manually. More information on how to perform the WHM/cPanel update can be found on cPanel documentation at below URL:
https://documentation.cpanel.net/display/1152Docs/Update+Preferences
You can engage our system administration service if you need our assistance in patching your servelets / servers. For applying this fix, you may order by logging in to our portal and then go to Order > Additional Services > System Admin - Server Config Panels - Initial Configuration / Optimisation (One-Time) - $30.
Update on 27 January 2016:
cPanel has released the full disclosure of the detailed information of the vulnerabilities. More information is below.
cPanel TSR-2016-0001 Full Disclosure
SEC-46
Summary
Arbitrary code execution via unsafe @INC path.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)
Description
The Perl scripts that collectively make up the cPanel & WHM product were not uniformly filtering the current working directory '.' from Perl's module library load path (@INC). Under some circumstances, this allowed an attacker with the ability to modify the contents of the working directory to run arbitrary code as the user who executes the script.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2
SEC-69
Summary
Limited arbitrary file modification during account modification.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Description
During account modification, file changes were performed as the root user inside the cPanel account's home directory. By creating a symbolic link in certain locations, an attacker was able to modify arbitrary files.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.52.2.4
11.50.4.3
11.48.5.2
SEC-70
Summary
Arbitrary file read via bin/fmq script.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:H/Au:S/C:C/I:N/A:N)
Description
The bin/fmq script performed unsafe file operations within a user's home directory. By creating a symlink to an arbitrary file, an attacker was able read otherwise inaccessible files.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2
SEC-71
Summary
SQL injection vulnerability in bin/horde_update_usernames.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 3.6 (AV:N/AC:H/Au:S/C:P/I:P/A:N)
Description
The bin/horde_update_usernames script performed SQL queries without the adequate escaping of untrusted data. This allowed the injection of arbitrary SQL statements.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2
SEC-72
Summary
Arbitrary code execution vulnerability during locale duplication.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)
Description
During the execution of locale_duplicate.cgi, temporary files were created in an unsafe manner. By careful manipulation of the temporary files, an attacker could inject and execute arbitrary shell commands.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2
SEC-73
Summary
Password hashes revealed by bin/mkvhostspasswd script.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)
Description
The bin/mkvhostspasswd script creates a temporary working file while updating the passwd.vhosts file. The permissions on this temporary file were in an insecure state momentarily. This allowed an attacker to read the file's contents.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2
SEC-74
Summary
Limited arbitrary file read in bin/setup_global_spam_filter.pl.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
Description
The bin/setup_global_spam_filter.pl script performed unsafe file operations in the home directory of the cPanel accounts as the root user. By manipulating the input files, an attacker was able to view the content of arbitrary files on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2
SEC-76
Summary
Code execution as shared users via JSON-API.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)
Description
The cPanel URL dispatch logic for JSON and XML API calls allowed cPanel and Webmail accounts to call API commands while running with the privileges of shared user accounts.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2
SEC-77
Summary
Password hash revealed by chcpass script.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)
Description
The scripts/chcpass script allowed the crypted form of a user's password stored in the /etc/shadow file to be updated. It took the crypted password as a command line argument, exposing this information to other users on the system. This code was not actively used by the cPanel & WHM product and has been removed.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2
SEC-78
Summary
Arbitrary file overwrite in scripts/check_system_storable.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)
Description
By default, the check_system_storable script created a predictable .tmp file in an insecure location. This allowed an attacker to overwrite arbitrary files on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2
SEC-79
Summary
Arbitrary file chown/chmod during Roundcube database conversions.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 5.9 (AV:A/AC:H/Au:S/C:C/I:C/A:N)
Description
During the MySQL to SQLite database conversion process for Roundcube, a chown and chmod was performed as the root user within a user-writable directory. This allowed an attacker to gain control of arbitrary files on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2
SEC-80
Summary
Arbitrary file read and write via scripts/fixmailboxpath.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 7.5 (AV:N/AC:L/Au:S/C:C/I:P/A:N)
Description
The fixmailboxpath script performed file read and write operations as root inside the cPanel users' home directories.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2
SEC-81
Summary
Arbitrary file overwrite in scripts/quotacheck.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)
Description
The quotacheck script performed reads and writes of files in cPanel users' home directories while running as the root user. This allowed an attacker to overwrite arbitrary files on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2
SEC-82
Summary
Limited arbitrary file chmod in scripts/secureit.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)
Description
During the cPanel installation process, the secureit script searches the /usr/ directory for setuid and setgid files. After filtering this list, it removes the setuid and setgid bits from any remaining files. The filtering logic did not account for the world-writable ModSecurity audit log directory, which allowed an attacker to remove the setuid and setgid bits from arbitrary files or folders on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2
SEC-83
Summary
Arbitrary code execution via scripts/synccpaddonswithsqlhost.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)
Description
Unsafe file operations within a user's home directory in combination with a string eval allowed an attacker to execute arbitrary code as root when the synccpaddonswithsqlhost script was executed.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2
SEC-84
Summary
Self-XSS in WHM PHP Configuration editor interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)
Description
The SMTP field was not sufficiently escaped when displayed on the WHM PHP Configuration editor output in Advanced Mode.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2
SEC-85
Summary
Missing ACL enforcement in AppConfig subsystem.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)
Description
AppConfig did not perform proper ACL or feature list checks when a "user" was not specified or the "dynamic_user" functionality was used. In these circumstances a user could access the app regardless of any ACLs or feature requirements.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2
SEC-86
Summary
Stored XSS in WHM Feature Manager interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Description
Package names were not sufficiently escaped when displayed on the WHM Feature Manager interface.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
SEC-87
Summary
Self-XSS in X3 Entropy Banner interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I/A:N)
Description
The "link" variable was not sufficiently escaped when displayed on the changelink.html page in the X3 Entropy Banner interfaces.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2
SEC-91
Summary
Unauthenticated arbitrary code execution via cpsrvd.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Description
cPanel & WHM's internal web server, cpsrvd, did not correctly filter the request URI when processing incoming requests. Due to this, it was possible for an unauthenticated attacker to read arbitrary files and execute arbitrary scripts.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2