Newsroom

cPanel TSR-2019-0003 Full Disclosure

Yesterday cPanel released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. Below is the full disclosure of the changes included in that update.

Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

SEC-486

Summary

Local code execution as other cPanel accounts via insecure cpphp execution.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

Description

Files with the ‘cpphp’ and ‘php’ file extensions inside cPanel themes are processed first by the cPanel tag parser engine, then by the php-cgi binary. During the secondary processing by the PHP engine, the working directory was switched to an insecure location that could contain malicious INI files.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.80.0.5
11.78.0.24

SEC-489

Summary

Unsafe file operations as root via fetch_ssl_certificates_for_fqdns API.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Description

The fetch_ssl_certificates_for_fqdns API call utilizes the Cpanel::SSL::Search::fetch_users_certificates_for_fqdns() function to search for and load SSL certificates for a user’s domain from the user’s home directory as the root user. During this process a cache file is created. Because of this, it was possible for an attacker to overwrite and/or read root-owned files.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.80.0.5
11.78.0.24

SEC-494

Summary

Queueprocd log is created with world readable permissions.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

The process by which the queueprocd log is created was recently modified, causing it to be created with world-readable permissions. This log file could potentially contain sensitive information.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.80.0.5
11.78.0.24

SEC-495

Summary

API Analytics adminbin allows arbitrary data to be inserted into log.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

The only restriction on data passed to the LOG_OPERATION function of the API Analytics adminbin is that it must not contain newlines, and must start and end with curly brackets. Any other arbitrary data could be written to this log file.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.80.0.5
11.78.0.24

SEC-496

Summary

Arbitrary file modification for demo accounts via extractfile API1 call.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

The Fileman::extractfile API1 function was incorrectly set to allow demo account access. This API call could be abused to modify any files in the demo account’s home directory.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.80.0.5
11.78.0.24

SEC-498

Summary

Demo account code execution via ajax_maketext_syntax_util.pl.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Description

The ACL and Demo check subroutine in ajax_maketext_syntax_util.pl was refactored to avoid use of the DEMO environment variable. This caused the script to allow execution when called by any cPanel user, including demo accounts. This could allow for execution of arbitrary code by demo account users.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.80.0.5
11.78.0.24

For the PGP-signed message, please see: TSR-2019-0003 Full Disclosure.