Summary
Remote code execution via Exim filter path handling.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Description
The handling of file paths constructed from email recipient addresses in cPanel & WHM’s default Exim configuration did not adequately protect against path traversal attacks. In a default cPanel & WHM deployment, this behavior could be abused by authenticated attackers to execute arbitrary code on the server as other accounts. Abuse of this flaw by unauthenticated attackers was possible under some circumstances.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49
Summary
Bypass of SMTP greylisting restrictions.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Description
Greylisting restrictions configured for the Exim SMTP daemon were not properly enforced for senders with embedded spaces.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49
Summary
Jailshell breakout via chsh.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Description
Some utilities such as chsh and userhelper may regain their setuid bit during RPM updates. This allowed cPanel accounts configured with jailshell to change the account’s login shell.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49
Summary
Insecure BIND RNDC credentials used in templated VMs.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
The RNDC key configured in virtual machines spawned from cPanel VM images was not regenerated in the new instance.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49
Summary
Insecure Dovecot auth policy API key used in templated VMs.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Description
The Dovecot auth policy API key configured in virtual machines spawned from cPanel VM images was not regenerated in the new instance.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49
Summary
Insecure Mailman site password used in templated VMs.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Description
The Mailman site password configured in virtual machines spawned from cPanel VM images was not regenerated in the new instance.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49
Summary
Insecure SRS secret used in templated VMs.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Description
The Exim SRS secret configured in virtual machines spawned from cPanel VM images was not regenerated in the new instance.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49
Summary
Insecure chkservd test credentials used in templated VMs.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Description
The authentication credentials used by chkservd to confirm system services are accepting logins were reused in virtual machines created from cPanel VM images.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49
Summary
World-readable permissions on proxy subdomains log file.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
When accessing cPanel, WHM, or Webmail via a plain, unencrypted proxy subdomain URL, the webserver log file was created with world-readable permissions. This allowed local attackers to obtain any sensitive information or credentials passed in GET requests.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49
Summary
PowerDNS API keys set to predictable values during upgrades.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
During cPanel & WHM upgrades across major versions, the PowerDNS API keys were set to predictable values. A local attacker could misuse this behavior to read DNS secrets, modify DNS settings, or disable the DNS server.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
For the PGP-signed message, please see: TSR-2020-0003.disclosure.signed