cPanel TSR-2017-0003 Announcement

Posted by & filed under cPanel, Security.

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having CVSSv3 scores ranging from 2.2 to 8.8.

Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

RELEASES

The following cPanel & WHM versions address all known vulnerabilities:

64.0.21 & Greater
62.0.24 & Greater
60.0.43 & Greater
58.0.49 & Greater
56.0.49 & Greater

The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.

SECURITY ISSUE INFORMATION

The cPanel Security Team identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.

Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 24 vulnerabilities in cPanel & WHM software versions 64, 62, 60, 58, and 56.

Additional information is scheduled for release on May 16, 2017.
For information on cPanel & WHM Versions and the Release Process, read our documentation at:
https://go.cpanel.net/versionformat


HipChat Server is now available!

Posted by & filed under Announcements, Cloud Servers, Dedicated Servers.

 

HipChat Server image now available

for use on our Cloud and Dedicated servers!

 

We are pleased to announce that our Cloud Server platform now supports purpose built images and our first image is “HipChat Server v2.2.2”. HipChat is a popular team collaboration tool that allows your team to communicate with one another though 1-to-1 chat, group chat, or video chat. It also allows you to share files, screen share, and do a lot more.  For more information on HipChat, please visit their website at http://www.hipchat.com. Keep an eye out for more of our purpose built images as they become available. If you would like to see a specific App image feel free to send us a request to support@ndchost.com.

 

Deploying our HipChat server image.

  1. First step is to login to our customer portal by going to https://customer.ndchost.com.  If you do not know your login details they can be reset using the “forgot password” tool.
  2. From the top navigation menu click “My Services” and then “Services”.
  3. Next find your cloud server instance from the service list and click it.
  4. From the left sidebar, under “Server Manager” click “Deploy New Image”.
  5. Inside the “Choose an image” panel click “Latest Apps” and then select “HipChat Server”
  6. Set your primary disk size and choose a swap disk option
  7. Next you need to set a root password.  The HipChat server by default comes with root access disabled.  You should still set a password, however you will access the server using the same methods described in the HipChat server documentation.
  8. Click Deploy and wait for the server to start.

 

HipChat server first boot

It may take some time after your initial deploy for the HipChat server to come up.  The reason being that on first boot the HipChat server image runs a post installation script that prepares the server for use. You can expect to wait 5-10 minutes before being able to access HipChat’s web interface!


cPanel TSR-2017-0002 Full Disclosure

Posted by & filed under cPanel, Security.

SEC-208

Summary
Addon domain conversion did not require a package for resellers.

Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Description
Previously, when you converted an addon domain to a normal account, it was not required that a reseller specify a package for the account creation. This allowed the reseller to use the system’s “default” package that has no account limits. Now, an addon domain conversion requires that a reseller have and specify a valid package for the account.

Credits
This issue was discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:
11.62.0.17
11.60.0.39
11.58.0.45
11.56.0.46

 

SEC-217

Summary

Self XSS Vulnerability in WHM cPAddons ‘showsecurity’ interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

When accessing the WHM cPAddons ‘showsecurity’ interface, the ‘addon’ parameter was not adequately escaped during page output. This could allow for arbitrary code to be injected into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.62.0.17
11.60.0.39
11.58.0.45
11.56.0.46

 

SEC-218

Summary

Arbitrary file read via WHM /styled/ URLs.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Description

WHM supports /styled/ URLs in order to allow for reseller interface customization and branding. It is possible for these URLs to load and display content from a reseller’s home directory. These files were being loaded as the root user. This allowed for arbitrary files on the system to be read.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.62.0.17
11.60.0.39

 

SEC-219

Summary

File overwrite when renaming an account.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.2 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

Description

When renaming an account it was possible to manipulate the security policy directories within the user’s home directory to overwrite certain files the user did not own.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.62.0.17
11.60.0.39
11.58.0.45
11.56.0.46

 

SEC-220

Summary

Arbitrary code execution during account modification.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 8.2 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Description

When the primary domain of an account was changed in WHM’s “Modify an Account” interface, the .htaccess file in the account’s docroot was updated. This .htaccess update process included a syntax test, where it was possible for the cPanel user to execute arbitrary code as root.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.62.0.17
11.60.0.39
11.58.0.45
11.56.0.46

 

SEC-221

Summary

Arbitrary code execution during automatic SSL installation.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 8.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

During Autossl installation for user-controlled domains, the .htaccess file in the domain’s docroot was updated to bypass redirects that would interfere with the domain validation process. This .htaccess update process included a syntax test, where it was possible for the cPanel user to execute arbitrary code as root.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.62.0.17
11.60.0.39

 

SEC-223

Summary

Security policy questions were not transfered during account rename.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.6 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

Description

If an account had security questions set up, and that account was renamed, the questions were not transferred to the renamed account correctly. This allowed an attacker to set up their own security questions by logging into the target account after an account rename was performed.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.62.0.17
11.60.0.39
11.58.0.45
11.56.0.46

 

SEC-224

Summary

cPHulk one day ban bypass when IP based protection enabled.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

It was possible under certain settings to never trigger a one day ban when IP-based protection was also enabled. Now, IP addresses are properly one day banned when the specified threshold is reached.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.62.0.17
11.60.0.39
11.58.0.45
11.56.0.46

 

SEC-225

Summary

Code execution as root via overlong document root path settings.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 8.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

By specifying a document root path which exceed Apache’s maximum configuration line length limit, it was possible for this excessive data to be interpreted as a new configuration directive. This could allow for an attacker to run arbitrary code as the root user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.62.0.17
11.60.0.39
11.58.0.45
11.56.0.46

 

SEC-226

Summary

Arbitrary file overwrite via WHM Zone Template editor.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

Description

The WHM Zone Template editor interface did not properly validate the template filename when saving. This allowed resellers to overwrite arbitrary files on the system.

Credits

This issue was discovered by rack911labs.com.

Solution

This issue is resolved in the following builds:
11.62.0.17
11.60.0.39
11.58.0.45
11.56.0.46

 

SEC-227

Summary

Expand list of reserved usernames.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

Description

It was possible to create certain user accounts and then leverage the user’s home directory to enable various exploits. These account names have been added to the reserved username list.

Credits

This issue was discovered by rack911labs.com.

Solution

This issue is resolved in the following builds:
11.62.0.17
11.60.0.39
11.58.0.45
11.56.0.46

 

SEC-228

Summary

Adding parked domains to mail config did not respect domain ownership.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.4 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

Description

It was possible for a reseller to add parked domains, that they did not own, to the Exim mail configuration. A reseller must now own the parked domain to perform any action on it.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.62.0.17
11.60.0.39
11.58.0.45
11.56.0.46

 

SEC-229

Summary

URL filtering flaw allowed access to restricted resources.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

Due to faulty URL filtering, authenticated webmail accounts could access the PHPMyAdmin and PHPPGAdmin interfaces.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.62.0.17
11.60.0.39
11.58.0.45
11.56.0.46

 

SEC-232

Summary

Demo code execution via Htaccess::setphppreference API.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Description

The Htaccess::setphppreference API call was not restricted for demo accounts and accepted arbitrary data to be written into the account’s .htaccess file. This could allow for an attacker to execute arbitrary codeunder the demo account.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.62.0.17
11.60.0.39
11.58.0.45
11.56.0.46

 

SEC-233

Summary

Arbitrary code execution for demo accounts via NVData_fetchinc API call.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Description

The NVData_fetchinc API call could accept an arbitrary filename to be included and processed by the cPanel engine. It was possible for an attacker to use this to execute arbitrary code under a demo account.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.62.0.17
11.60.0.39
11.58.0.45
11.56.0.46


cPanel TSR-2017-0002 Announcement

Posted by & filed under cPanel, Security.

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having CVSSv3 scores ranging from 2.4 to 8.8.

Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

RELEASES

The following cPanel & WHM versions address all known vulnerabilities:

11.62.0.17 & Greater
11.60.0.39 & Greater
11.58.0.45 & Greater
11.56.0.46 & Greater

The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.

SECURITY ISSUE INFORMATION

The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.

Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 15 vulnerabilities in cPanel & WHM software versions 11.62, 11.60, 11.58, and 11.56.

Additional information is scheduled for release on March 21, 2017.
For information on cPanel & WHM Versions and the Release Process, read our documentation at:
https://go.cpanel.net/versionformat


EasyApache 21 February 2017 Maintenance Release

Posted by & filed under cPanel, Security.

SUMMARY
cPanel, Inc. has released EasyApache 3.34.12 with Apache version 2.2.32. This release addresses vulnerabilities related to CVE-2016-8743 and CVE-2016-5387. We strongly encourage all Apache 2.2 users to upgrade to version 2.2.32.

 

AFFECTED VERSIONS
All versions of Apache 2.2 through version 2.2.31

 

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

 

CVE-2016-8743 – MEDIUM
Apache 2.2.32
Fixed bug related to CVE-2016-8743

 

CVE-2016-5387 – MEDIUM
Apache 2.2.32
Additional HTTPOXY mitigation related to CVE-2016-5387

 

SOLUTION
cPanel, Inc. has released EasyApache 3.34.12 with an updated version of Apache 2.2.32. Unless you have disabled EasyApache updates, the EasyApache application updates to the latest version when launched. Run EasyApache to rebuild your profile with the latest version of Apache.

REFERENCES
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8743
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5387
http://www.apache.org/dist/httpd/CHANGES_2.2.32



EasyApache 24 January 2017 Maintenance Release

Posted by & filed under cPanel, Security.

cPanel, Inc. has released updated RPMs for EasyApache 4 on January 25, 2017, with PHP version 5.6.30, 7.0.15, and 7.1.1. This release addresses vulnerabilities related to CVE-2016-10161, CVE-2016-10162, CVE-2017-5340, CVE-2016-7479, CVE-2016-10158, CVE-2016-10159, and CVE-2016-10160. We strongly encourage all PHP 5.6 users to upgrade to version 5.6.30, all PHP 7.0 users to upgrade to version 7.0.15, and all PHP 7.1 users to upgrade to version 7.1.1.

 

AFFECTED VERSIONS
All versions of PHP 5.6 through 5.6.29
All versions of PHP 7.0 through 7.0.14
All versions of PHP 7.1 through 7.1.0

 

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2016-10161 – MEDIUM
PHP 5.6.30
Fixed bug in Standard library related to CVE-2016-10161

PHP 7.0.15
Fixed bug in Core related to CVE-2016-10161

PHP 7.1.1
Fixed bug in Core related to CVE-2016-10161

CVE-2016-10162 – MEDIUM
PHP 7.0.15
Fixed bug in Core related to CVE-2016-10162

PHP 7.1.1
Fixed bug in Core related to CVE-2016-10162

CVE-2017-5340 – MEDIUM
PHP 7.0.15
Fixed bug in Core related to CVE-2017-5340

PHP 7.1.1
Fixed bug in Core related to CVE-2017-5340

CVE-2016-7479 – HIGH
PHP 7.0.15
Fixed bug in Core related to CVE-2017-5340

CVE-2016-10158 – MEDIUM
PHP 5.6.30
Fixed bug in Exif extension related to CVE-2016-10158

PHP 7.0.15
Fixed bug in Exif extension related to CVE-2016-10158

PHP 7.1.1
Fixed bug in Exif extension related to CVE-2016-10158

CVE-2016-10160 – HIGH
PHP 5.6.30
Fixed bug in Phar extension related to CVE-2016-10160

PHP 7.0.15
Fixed bug in Phar extension related to CVE-2016-10160

PHP 7.1.1
Fixed bug in Phar extension related to CVE-2016-10160

CVE-2016-10159 – MEDIUM
PHP 5.6.30
Fixed bug in Phar extension related to CVE-2016-10159

PHP 7.0.15
Fixed bug in Phar extension related to CVE-2016-10159

PHP 7.1.1
Fixed bug in Phar extension related to CVE-2016-10159

 

SOLUTION
cPanel, Inc. has released updated RPMs for EasyApache 4 on January 25, 2017, with updated versions of PHP 5.6, 7.0, and 7.1. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM’s Run System Update interface.

 

REFERENCES
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5340
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10161
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10162
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7479
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10158
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10159
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10160
http://www.php.net/ChangeLog-7.php
http://www.php.net/ChangeLog-5.php


cPanel TSR-2017-0001 Full Disclosure

Posted by & filed under cPanel, Security.

cPanel TSR-2017-0001 Full Disclosure

SEC-196

Summary

Fixed password used for Munin MySQL test account.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description

The Munin monitoring tool includes a plugin to check the status of the MySQL service. This plugin used a dedicated test MySQL user to provide this functionality. The password set for this user was identical to the username. In cPanel’s current configuration of Munin, this MySQL user is no longer required and has been removed.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-197

Summary

Self-XSS in paper_lantern password change screen.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

Certain form variables on the password change screen could be interpreted as javascript markup. This allowed an attacker to inject a malicious payload into the page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-198

Summary

Reflected XSS in reset password interfaces.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Description

The user form variable on the password change screen could be interpreted as javascript markup. This allowed an attacker to inject a malicious payload into the page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43

SEC-199

Summary

Self-XSS in webmail Password and Security page.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

Certain form variables on the webmail password and security page could be interpreted as javascript markup. This allowed an attacker to inject a malicious payload into the page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-201

Summary

Arbitrary file read via Exim valiases.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.8 (AV:N/AC:L/Au:S/C:C/I:N/A:N)

Description

When processing the valiases for a user, Exim was running as the root user. By creating a valias that included other files, an attacker was able to read arbitrary files as the root user.

Credits

This issue was discovered by RACK911Labs.com.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43

SEC-204

Summary

Exim piped filters ran as wrong user when delivering to a system user.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

Description

Piped commands executed by the central_user_filter were run as the nobody user. Now the filters are run as the system user’s UID.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-205

Summary

Leech Protect did not protect certain directories.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Description

The Leech Protect system allows admins to detect unusual amounts of activity on password protected directories. This system was not functioning on directories with a two character name.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-206

Summary

Exim transports could be run as the nobody user.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description

It was possible to run exim transports as the nobody user if the receiving email domain was removed during delivery. Transports will now run as the proper user even if the domain no longer exists.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-207

Summary

Improper ACL checks in xml-api for Rearrange Account.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

Using the ‘fetch_transfer_session_log’ API, it was possible to fetch transfer information created by other resellers. This could reveal potentially sensitive information to an attacker.

Credits

This issue was discovered by RACK911Labs.com.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-209

Summary

SSL certificate generation in WHM used an unreserved email address.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

In WHM, if you generate a certificate using the “Generate an SSL Certificate and Signing Request” interface and select “When complete, email me the certificate, key, and CSR”, it used “admin@” as the from address. The account name “admin” is not reserved in cPanel & WHM, so if this account was created, it would intercept any replies or bounces.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-210

Summary

Account ownership not enforced by has_mycnf_for_cpuser WHM API call.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

The has_mycnf_for_cpuser WHM API call did not verify the caller’s ownership of the specified account. This could allow for a limited amount of information about the user’s MySQL configuration to be leaked.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-211

Summary

Stored XSS Vulnerability in WHM Account Suspension List interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Description

When viewing the WHM Account Suspension List with the ‘nohtml’ flag enabled, the response to the browser was sent with the ‘Content-type’ header set to ‘test/html’. This caused text to be misinterpreted as html markup.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-212

Summary

Format string injection vulnerability in cgiemail.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Description

The ability to supply arbitrary format strings to cgiemail and cgiecho allowed code execution whenever a user was able to provide a cgiemail template file. Format strings in cgiemail templates are now restricted to simple %s, %U and %H sequences.
Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
60.0.35
58.0.43
56.0.43
54.0.36

SEC-213

Summary

WHM ‘enqueue_transfer_item’ API allowed resellers to queue non rearrange modules.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:N/A:P)

Description

The ‘enqueue_transfer_item’ API allowed resellers with the ‘rearrange-accts’ ACL to add items from arbitrary Whostmgr::Transfers::Session modules. This could have potentially allowed for a reseller with the ‘rearrange-accts’ ACL to initiate a remote transfer or perform other restricted operations.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43

SEC-214

Summary

Open redirect vulnerability in cgiemail.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description

The cgiemail and cgiecho binaries served as an open redirect due to their handling of the “success” and “failure” parameters. These redirects are now limited to the domain that handled the request.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
60.0.35
58.0.43
56.0.43
54.0.36

SEC-215

Summary

HTTP header injection vulnerability in cgiemail.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Description

Case SEC-215: The handling of redirects in cgiemail and cgiecho did not protect against the injection of additional HTTP headers. Newline characters are now stripped from the redirect location to protect against this.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
60.0.35
58.0.43
56.0.43
54.0.36

SEC-216

Summary

Reflected XSS vulnerability in cgiemail addendum handling.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Description

The “addendum” parameter was reflected without any escaping in success and error messages produced by cgiemail and cgiecho. This output is now html escaped.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
60.0.35
58.0.43
56.0.43
54.0.36

For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2017/01/TSR-2017-0001.disclosure.signed.txt


cPanel TSR-2017-0001 Announcement

Posted by & filed under cPanel, Security.

cPanel TSR-2017-0001 Announcement

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having CVSSv2 scores ranging from 2.1 to 6.8.

Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

RELEASES

The following cPanel & WHM versions address all known vulnerabilities:

11.62.0.4 & Greater
11.60.0.35 & Greater
11.58.0.43 & Greater
11.56.0.43 & Greater
11.54.0.36 & Greater

The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.

SECURITY ISSUE INFORMATION

The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.

Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 17 vulnerabilities in cPanel & WHM software versions 11.62, 11.60, 11.58, 11.56, and 11.54.

Additional information is scheduled for release on January 17, 2017.
For information on cPanel & WHM Versions and the Release Process, read our documentation at:
https://go.cpanel.net/versionformat

For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2017/01/TSR-2017-0001.announcement.signed.txt