Yesterday cPanel released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. Below is the full disclosure of the changes included in that update.
Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
Summary
Local code execution as other cPanel accounts via insecure cpphp execution.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
Description
Files with the ‘cpphp’ and ‘php’ file extensions inside cPanel themes are processed first by the cPanel tag parser engine, then by the php-cgi binary. During the secondary processing by the PHP engine, the working directory was switched to an insecure location that could contain malicious INI files.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.80.0.5
11.78.0.24
Summary
Unsafe file operations as root via fetch_ssl_certificates_for_fqdns API.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Description
The fetch_ssl_certificates_for_fqdns API call utilizes the Cpanel::SSL::Search::fetch_users_certificates_for_fqdns() function to search for and load SSL certificates for a user’s domain from the user’s home directory as the root user. During this process a cache file is created. Because of this, it was possible for an attacker to overwrite and/or read root-owned files.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.80.0.5
11.78.0.24
Summary
Queueprocd log is created with world readable permissions.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
The process by which the queueprocd log is created was recently modified, causing it to be created with world-readable permissions. This log file could potentially contain sensitive information.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.80.0.5
11.78.0.24
Summary
API Analytics adminbin allows arbitrary data to be inserted into log.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Description
The only restriction on data passed to the LOG_OPERATION function of the API Analytics adminbin is that it must not contain newlines, and must start and end with curly brackets. Any other arbitrary data could be written to this log file.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.80.0.5
11.78.0.24
Summary
Arbitrary file modification for demo accounts via extractfile API1 call.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Description
The Fileman::extractfile API1 function was incorrectly set to allow demo account access. This API call could be abused to modify any files in the demo account’s home directory.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.80.0.5
11.78.0.24
Summary
Demo account code execution via ajax_maketext_syntax_util.pl.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Description
The ACL and Demo check subroutine in ajax_maketext_syntax_util.pl was refactored to avoid use of the DEMO environment variable. This caused the script to allow execution when called by any cPanel user, including demo accounts. This could allow for execution of arbitrary code by demo account users.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.80.0.5
11.78.0.24
For the PGP-signed message, please see: TSR-2019-0003 Full Disclosure.