cPanel TSR-2017-0006 Full Disclosure
SEC-306
Summary
Unreserved email address used in DNS zone SOA records.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
Description
When a contact email address for the system was not configured, the default RNAME value in DNS zone SOA records was set to an unreserved account name. This account name is now reserved and “root” is used as the default for new zones.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-309
Summary
Home directory backups written to incorrect location.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Description
A remote backup mount that became temporarily unresponsive could cause the user home directory backup to be written to the current directory when the backup system was configured to use incremental backups.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-310
Summary
Jailed accounts could restore files that are outside the jail.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Description
A jailed cPanel account could create files in their home directory that the backup process would follow outside of the jailshell, allowing restricted files to be copied into the backup.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-311
Summary
Unprivileged users can access restricted directories during account restores.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
Description
During the account restore process, under some circumstances, root changes the current directory to the user’s home directory. A malicious user could abuse this behavior to access restricted directories.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-313
Summary
Arbitrary code execution via Maketext injection in PostgresAdmin.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 8.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Description
Under certain error conditions it was possible to inject user-supplied input into Maketext format string during PostgreSQL database creation, allowing arbitrary code execution as root.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-314
Summary
Arbitrary code execution via Maketext injection in Reseller style upload.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 8.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Description
When a reseller uploads a custom style tarball, the list of files included in the tarball are checked for invalid filenames. If this validation fails, the offending filename is used as part of a Locale::Maketext format string. By crafting a malicious tarball, it was possible for a reseller to execute arbitrary code as root.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-315
Summary
Jailshell fails to set umask before peforming sensitive file operations.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 8.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Description
The jailshell and jailexec binaries failed to set the umask() before performing sensitive operations during the jail setup. This behavior was exploitable to run arbitrary code as root or read secret files.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-318
Summary
String format injection vulnerability in dovecot-xaps-plugin.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.0 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Description
The cPanel patches to the dovecot-xaps-plugin add an additonal call to the i_info() function to generate dovecot log messages. This function behaves in a similar manner to printf(). Rather than specifying a format string as a first argument, we pass in user controllable data. This allowed for the user to pass in arbitrary format strings, resulting in reading of arbitrary memory and code execution.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
SEC-322
Summary
Code execution as root due to loose permissions on incremental backups.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 8.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Description
During an incremental backup, the user account had access to the homedir directory inside the account’s backup directory. This allowed the user to execute files that had switched to root ownership during the backup process.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-323
Summary
Backup files are briefly world-readable.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
When creating backup archive files there was a small window where the permissions of the archives would be world-readable. This allowed for unprivileged users to copy the contents of other user’s backups.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-325
Summary
PostgreSQL databases assigned to multiple accounts caused collisions.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
Description
A refactoring error opened the possibility of two different cPanel accounts being assigned ownership of a PostgreSQL database when they attempted to create it at the same time. Ownership is now assigned only to the account that successfully created the database.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
SEC-326
Summary
Add ‘postmaster’ to the list of reserved usernames.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.4 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
Description
It was possible to intercept certain emails intended to be delivered to root by creating an account with the ‘postmaster’ username. This account name has been added to the reserved usernames list.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-327
Summary
Expand the list of reserved usernames.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.4 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
Description
The server contact email address for accounts uses the webmaster username which was not restricted for account creation. This could lead to a reseller intercepting emails intended to be delivered to other accounts. All email aliases listed in /etc/aliases and /etc/localaliases are now reserved usernames.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-328
Summary
Add ‘ssl’ to the list of reserved usernames.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.4 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
Description
When creating SSL certificates, ‘ssl@hostname’ is used as the contact email in the certificate. The ‘ssl’ username was not reserved, allowing resellers to intercept emails sent to this address. The ‘ssl’ username is now disallowed for account creation.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-329
Summary
Arbitrary file read via Exim vdomainaliases.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Description
When processing the vdomainaliases file for a domain, Exim was running as the root user. An attacker could leverage this behavior to read the contents of arbitrary files on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-330
Summary
Preserve permissions for local backup transport.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
When copying backup files using the ‘Additional local directory’ backup transport, the original backup file permissions were not preserved. This allowed backup files to be created with world-readable permissions.
Credits
This issue was discovered by Rack911labs.com.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-331
Summary
DnsUtils allows zone creation on hostname and account subdomains.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Description
When adding a DNS zone, Cpanel::DnsUtils::doadddns() did not check to ensure that the added domain is not the hostname or a subdomain of domain belonging to another user. This allowed a reseller to intercept potentially sensitive information.
Credits
This issue was discovered by Rack911labs.com.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-332
Summary
Root crontab visible when enabling or disabling sqloptimizer.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Description
When enabling or disabling the sqloptimizer feature root’s crontab was briefly exposed to unprivileged users.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-333
Summary
Local root code execution via cpdavd.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 8.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Description
Under certain circumstances, when cpdavd processes requests, the service will attempt to lazy load Perl modules for various functionality. If this is done after cpdavd changed the root directory, it was possible for an attacker to execute arbitrary code as the root user.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-334
Summary
User accounts partially created with invalid username formats.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.6 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
Description
Attempting to transfer, restore, or rearrange a cPanel account with a username composed entirely of numbers and symbols could result in partial account creation and cause mail delivery to run as the wrong user. Usernames in this format are now prohibited, along with usernames containing uppercase characters.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-336
Summary
Stored-XSS vulnerability via cpaddons moderated upgrade.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
Description
It is possible to coerce a cPAddon upgrade to occur when an install was intended via the moderated installs feature of cPAddons. When obsolete files are removed from the installation, a file listing isgiven. These file names were not adequately encoded in the listed output. This allowed for an attacker to inject arbitrary code into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-337
Summary
Code execution as ‘nobody’ account via Mailman archives.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Description
Accounts created with the ‘mbox’ TLD could collide with other domains in the Mailman archive directories. This allowed the creation of files with restricted file extensions, and code execution as the webserver user.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-341
Summary
Domain data can be deleted for domains with ‘lock’ TLD.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Description
Domains that use the ‘lock’ TLD conflict with the standard naming scheme for cPanel ‘safelock’ files. This behavior allowed attackers to delete domain-named files in some limited circumstances.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
SEC-345
Summary
Arbitrary file read in backup htaccess modification logic.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Description
On systems configured with EasyApache 4, the htaccess files of accounts are modified in the backup to remove the PHP handler settings. The method used to perform these modifications was vulnerable to time-of-check-time-of-use attacks that could be used to store arbitrary files into the user’s backup tarball.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.15
66.0.34
64.0.42
62.0.35
For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2017/11/TSR-2017-0006.disclosure.signed.txt