cPanel TSR-2022-0002 Full Disclosure

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
SEC-629

Summary

Respect the “no_create” parameter in BoxTrapper_getemaildirs.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

The BoxTrapper_getemaildirs function takes a parameter which tells it not to attempt to create the mail directories if they do not exist. This parameter was only being respected when the no_checks parameter was also set. Add a check of the value of the no_create parameter before attempting to create the mail directory. Failure to do so was the cause of bxd.cgi creating bogus domain directories under the mail directory.

Credits

This issue was discovered by William Bailey.

Solution

This issue is resolved in the following builds:
11.94.0.25
11.104.0.3
11.102.0.18

SEC-630

Summary

Update cpanel-php73-horde to 5.2.21-1.cp1194.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

Changelog: Update cpanel-php73-horde to 5.2.21-1.cp1194

Credits

This issue was discovered by Sonar Source. https://blog.sonarsource.com/horde-webmail-account-takeover-via-email/

Solution

This issue is resolved in the following builds:
11.94.0.25
11.104.0.3
11.102.0.18

SEC-631

Summary

Check caller privileges in create_dbowner.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 8.0 CVSS3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

In create_dbowner(), we need to check that the caller has the correct privileges to alter the password for the account, similar to what is done in updatehosts(). Failure to do so can allow any cPanel user to take over the root account on MySQL via the cpmysql adminbin UPDATEALL and UPDATEDBOWNER commands.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.94.0.25
11.104.0.3
11.102.0.18

SEC-632

Summary

MySQL admin takeover via postponed dbuser creation.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 7.6 CVSS3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Description

It was possible to create a cPanel account with the username ‘r_o_o_t’ when MySQL was disabled on the system. If MySQL is then enabled at a later date, then the cPanel username ‘r_o_o_t’ would map to the username ‘root’ for the database user creation. This allowed the cPanel user to change their password and take over admin rights to the MySQL server.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.94.0.25
11.104.0.3
11.102.0.18

SEC-636

Summary

Notify admin of lost demo mode restrictions.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 2.6 CVSS3.1AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N

Description

After an upgrade, admins are now notified that demo accounts with linked mail child nodes exist and is no longer a valid configuration.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.94.0.25
11.104.0.3
11.102.0.18

SEC-637

Summary

Block remote nodes on restoration of account in demo mode.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 2.6 CVSS3.1AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N

Description

The fix for case SEC-617 addressing the failure of “demo” status to propagate to remote nodes prevents setting up an account to have linked nodes while in demo mode. But, it does not block this setup on account restoration. When restoring an account, block use of linked nodes if the account is demo mode.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.94.0.25
11.104.0.3
11.102.0.18

SEC-638

Summary

Block cron removal on accounts with DEMO mode enabled.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 5.3 CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

It was possible to remove cronjobs on accounts with demo mode enabled when using legacy APIs, leaving it possible for potential attackers to cause data loss.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.94.0.25
11.104.0.3
11.102.0.18

SEC-639

Summary

Run demo/feature check for UAPI and API1.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 5.3 CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

When adding UAPI1 it was possible to by pass demo mode checks using a specially crafted URL causing the request to masquerade as a UAPI call.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.94.0.25
11.104.0.3
11.102.0.18

SEC-641

Summary

Stop exposing API tokens in account modification return data.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 8.0 CVSS3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L

Description

The account modification functions return the user data to the caller. In a multi-node setup the user data can have a WORKER_NODE element added to it which contains an API token. We shouldn’t be exposing this in the return data.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.94.0.25
11.104.0.3
11.102.0.18

SEC-643

Summary

Immediately check account ownership in massmodifyacct.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 8.0 CVSS3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L

Description

The error manifest in this case is two-fold. First, the check for account ownership occurs too late in the operation, and only for the local modification of the account. And, the way massmodifyacct is architected, a local failure will not prevent remote operations. Secondly, massmodify has been setup on such a way that there are no “undo” operations for any accounts where modifications have failed. To address the security aspect of this case, we need to check account ownership at the beginning of massmodifyacct and perform no further acction on an unauthorized account.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.94.0.25
11.104.0.3
11.102.0.18

For the PGP-Signed message please see the linked document below.

TSR-2022-0002-Full-Disclosure.signedDownload

Original author: Rhoda Arnes

Copyright

© Cpanel

How to disable Windows services and speed up your ...
EasyApache June 1 Release
 

By accepting you will be accessing a service provided by a third-party external to https://divethewebcreations.biz/

Advertisement