cPanel Security Team: Cgiemail (CVE-2017-5613)

In December 2016, the cPanel Security Team became aware of potential vulnerabilities in cPanel & WHM following an investigation of the hints provided in the Shadow Brokers / Equation Group leaks. During our investigation, we found several vulnerabilities in cgiecho and cgiemail, one of which could be leveraged for remote code execution as an unprivileged user, and patched the vulnerabilities in the first TSR release of 2017 (TSR-2017-0001).

Following the additional public disclosure by the Shadow Brokers on April 8 2017, we are able to confirm that the exploit ElegantEagle was utilizing the since patched cgiemail format string injection vulnerability (CVE-2017-5613). All versions of cPanel & WHM 54 and newer were successfully patched in January 2017. We are also able to confirm the other exploits referenced in the leaks (ElatedMonkey, EndlessDonut) were independently discovered and fixed in previous updates.

Additionally, we plan to discontinue support for cgiemail and cgiecho, primarily because it has been abandoned by its upstream author and various design issues. This software will be removed in future updates of cPanel & WHM.


For the PGP-Signed version of this announcement, please see: