Newsroom

cPanel TSR-2017-0006 Full Disclosure

cPanel TSR-2017-0006 Full Disclosure

SEC-306

Summary

Unreserved email address used in DNS zone SOA records.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

Description

When a contact email address for the system was not configured, the default RNAME value in DNS zone SOA records was set to an unreserved account name. This account name is now reserved and “root” is used as the default for new zones.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-309

Summary

Home directory backups written to incorrect location.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

A remote backup mount that became temporarily unresponsive could cause the user home directory backup to be written to the current directory when the backup system was configured to use incremental backups.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-310

Summary

Jailed accounts could restore files that are outside the jail.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Description

A jailed cPanel account could create files in their home directory that the backup process would follow outside of the jailshell, allowing restricted files to be copied into the backup.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-311

Summary

Unprivileged users can access restricted directories during account restores.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Description

During the account restore process, under some circumstances, root changes the current directory to the user’s home directory. A malicious user could abuse this behavior to access restricted directories.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-313

Summary

Arbitrary code execution via Maketext injection in PostgresAdmin.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 8.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

Under certain error conditions it was possible to inject user-supplied input into Maketext format string during PostgreSQL database creation, allowing arbitrary code execution as root.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-314

Summary

Arbitrary code execution via Maketext injection in Reseller style upload.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 8.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

When a reseller uploads a custom style tarball, the list of files included in the tarball are checked for invalid filenames. If this validation fails, the offending filename is used as part of a Locale::Maketext format string. By crafting a malicious tarball, it was possible for a reseller to execute arbitrary code as root.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-315

Summary

Jailshell fails to set umask before peforming sensitive file operations.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 8.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

The jailshell and jailexec binaries failed to set the umask() before performing sensitive operations during the jail setup. This behavior was exploitable to run arbitrary code as root or read secret files.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-318

Summary

String format injection vulnerability in dovecot-xaps-plugin.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.0 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

Description

The cPanel patches to the dovecot-xaps-plugin add an additonal call to the i_info() function to generate dovecot log messages. This function behaves in a similar manner to printf(). Rather than specifying a format string as a first argument, we pass in user controllable data. This allowed for the user to pass in arbitrary format strings, resulting in reading of arbitrary memory and code execution.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42

SEC-322

Summary

Code execution as root due to loose permissions on incremental backups.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 8.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

During an incremental backup, the user account had access to the homedir directory inside the account’s backup directory. This allowed the user to execute files that had switched to root ownership during the backup process.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-323

Summary

Backup files are briefly world-readable.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

When creating backup archive files there was a small window where the permissions of the archives would be world-readable. This allowed for unprivileged users to copy the contents of other user’s backups.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-325

Summary

PostgreSQL databases assigned to multiple accounts caused collisions.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N

Description

A refactoring error opened the possibility of two different cPanel accounts being assigned ownership of a PostgreSQL database when they attempted to create it at the same time. Ownership is now assigned only to the account that successfully created the database.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42

SEC-326

Summary

Add ‘postmaster’ to the list of reserved usernames.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.4 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

Description

It was possible to intercept certain emails intended to be delivered to root by creating an account with the ‘postmaster’ username. This account name has been added to the reserved usernames list.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-327

Summary

Expand the list of reserved usernames.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.4 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

Description

The server contract email address for accounts uses the webmaster username which was not restricted for account creation. This could lead to a reseller intercepting emails intended to be delivered to other accounts. All email aliases listed in /etc/aliases and /etc/localaliases are now reserved usernames.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-328

Summary

Add ‘ssl’ to the list of reserved usernames.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.4 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

Description

When creating SSL certificates, ‘ssl@hostname’ is used as the contact email in the certificate. The ‘ssl’ username was not reserved, allowing resellers to intercept emails sent to this address. The ‘ssl’ username is now disallowed for account creation.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-329

Summary

Arbitrary file read via Exim vdomainaliases.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Description

When processing the vdomainaliases file for a domain, Exim was running as the root user. An attacker could leverage this behavior to read the contents of arbitrary files on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-330

Summary

Preserve permissions for local backup transport.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

When copying backup files using the ‘Additional local directory’ backup transport, the original backup file permissions were not preserved. This allowed backup files to be created with world-readable permissions.

Credits

This issue was discovered by Rack911labs.com.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-331

Summary

DnsUtils allows zone creation on hostname and account subdomains.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Description

When adding a DNS zone, Cpanel::DnsUtils::doadddns() did not check to ensure that the added domain is not the hostname or a subdomain of domain belonging to another user. This allowed a reseller to intercept potentially sensitive information.

Credits

This issue was discovered by Rack911labs.com.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-332

Summary

Root crontab visible when enabling or disabling sqloptimizer.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

When enabling or disabling the sqloptimizer feature root’s crontab was briefly exposed to unprivileged users.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-333

Summary

Local root code execution via cpdavd.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 8.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

Under certain circumstances, when cpdavd processes requests, the service will attempt to lazy load Perl modules for various functionality. If this is done after cpdavd changed the root directory, it was possible for an attacker to execute arbitrary code as the root user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-334

Summary

User accounts partially created with invalid username formats.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.6 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N

Description

Attempting to transfer, restore, or rearrange a cPanel account with a username composed entirely of numbers and symbols could result in partial account creation and cause mail delivery to run as the wrong user. Usernames in this format are now prohibited, along with usernames containing uppercase characters.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-336

Summary

Stored-XSS vulnerability via cpaddons moderated upgrade.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

Description

It is possible to coerce a cPAddon upgrade to occur when an install was intended via the moderated installs feature of cPAddons. When obsolete files are removed from the installation, a file listing isgiven. These file names were not adequately encoded in the listed output. This allowed for an attacker to inject arbitrary code into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-337

Summary

Code execution as ‘nobody’ account via Mailman archives.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Description

Accounts created with the ‘mbox’ TLD could collide with other domains in the Mailman archive directories. This allowed the creation of files with restricted file extensions, and code execution as the webserver user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-341

Summary

Domain data can be deleted for domains with ‘lock’ TLD.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

Domains that use the ‘lock’ TLD conflict with the standard naming scheme for cPanel ‘safelock’ files. This behavior allowed attackers to delete domain-named files in some limited circumstances.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

SEC-345

Summary

Arbitrary file read in backup htaccess modification logic.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Description

On systems configured with EasyApache 4, the htaccess files of accounts are modified in the backup to remove the PHP handler settings. The method used to perform these modifications was vulnerable to time-of-check-time-of-use attacks that could be used to store arbitrary files into the user’s backup tarball.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35

For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2017/11/TSR-2017-0006.disclosure.signed.txt