cPanel TSR-2019-0002 Full Disclosure

Yesterday cPanel released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. Below is the full disclosure of the changes included in that update.

Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

SEC-477

Summary
Unsafe file operations as root in SSL certificate storage.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Description
The Cpanel::SSL::Objects::Certificate::File module creates a cache file when opening and reading an SSL certificate file. The Cpanel::SSLStorage module uses this to perform operations on SSL certificates stored in the user’s home directory as root. Because of this, it was possible for an attacker to overwrite and/or read root-owned files.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:78.0.1876.0.2170.0.67

SEC-479

Summary
Local root via userdata cache mis-parsing.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Description
The userdata cache uses a custom delimiter separated format using “==“ as the delimiter. It is possible for the values in this file to contain this delimiter when written. When reading back this file, it is possible to cause other subsystems on the server into reading, writing, chmoding, and executing arbitrary files as root.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:78.0.1876.0.2170.0.67

SEC-480

Summary
Code execution via addforward API1 call.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Description
The addforward API1 call modified the destination email address after validating that it did not include prohibited EXIM redirect router values. This behavior could be abused by webmail virtual accounts to run arbitrary code on the cPanel server.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:78.0.1876.0.2170.0.67

SEC-481

Summary
Unsafe terminal capabilities determination using infocmp.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Description
When generating formatted/colored text, the infocmp binary is called as root, which reads compiled terminfo files as root. This binary has its home directory set to /tmp. It was possible for a user to manipulate the terminfo files that infocmp processed.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:78.0.1876.0.2170.0.67

SEC-483

Summary
Open mail relay due to faulty domain redirect routing.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Description
The EXIM configuration used for domain forwarders did not correctly escape the final destination address. This could be abused by unauthenticated remote attackers to relay email through the server.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:78.0.1876.0.2170.0.67

SEC-484

Summary
Limited file read as root via EXIM virtual_user_spam router.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Description
The EXIM configuration used for routing spam email addressed to virtual email account did not correctly escape the final destination address. This could be abused by cPanel accounts to read files on the system that were inaccessible to the cPanel user.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:78.0.1876.0.2170.0.67

SEC-487

Summary
Demo account code execution via securitypolicy.cgi.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Description
The securitypolicy.cgi exists in the main docroot for cPanel and Webmail, and can be accessed by normal users. A user can supply POST data to this script that contains both security context and form data. This could be used to write arbitrary data to a demo account’s docroot.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:78.0.1876.0.2170.0.67

SEC-493

Summary
Remote Stored XSS Vulnerability in BoxTrapper Queue Listing.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
The BoxTrapper_showqueue() API call provides a listing of email messages currently in the BoxTrapper queue. Subject headers displayed in this listing are HTML encoded before they are MIME decoded. This allowed for an attacker to inject arbitrary code into the displayed subject.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:78.0.1876.0.2170.0.67

For the PGP-signed message, please see: TSR-2019-0002 Full Disclosure

Original author: benny Vasquez

Copyright

© Cpanel

Support for Version 70 Extended to April 30th, 201...
cPanel integrates industry-leading web hosting sec...
 
Advertisement