cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
SEC-594
Summary
Avoid usage of predictable PostgreSQL socket in /tmp.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
Description
When installed, PostgreSQL uses a predictable socket in /tmp. It is possible for an unprivileged user to replace this socket with a socket to a process that they control.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10
SEC-607
Summary
Disable liveAPI system for accounts in demo mode.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Description
It is possible for arbitrary code to be executed via the liveAPI system when an account is in demo mode.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10
SEC-610
Summary
Escapes alert messages on manage git repo page.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 2.6 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
Description
If an alert message on the manage repo page had a string wrapped with < >, the alert would render it as an HTML element. This message is now properly escaped and shows as plain text.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10
SEC-613
Summary
Ensure privilege check also covers reseller without domain creation.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of Sev-D
Description
Account creation requires root privileges to specify certain options, including homedir. The code branch to create a reseller without a domain was being invoked before this check. By placing the check before it, we can ensure that it covers the case where we are creating a reseller without a domain. Allowing a non-root reseller to specify an arbitrary home directory such as /usr/local/cpanel/Cpanel/Admin/Modules can allow them to stage perl modules of their own for execution as root.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.102.0.5
11.100.0.10
SEC-615
Summary
Failed linked node account creation leaves account on mail node.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 3.0 CVSS3.1AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N
Description
When creating an account with a linked mail node, the account is created on the mail node before it is created on the control node and before all validation checks are complete. This can lead to the account failing to create on the control node after it has been created on the mail node.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10
SEC-617
Summary
Demo mode status does not propagate to child nodes.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 2.6 CVSS3.1AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
Description
Enabling demo mode on an account that is linked to a child node does not propagate the status to the child node. This allowed an ftp user to make changes on the child node that could lead to remote code execution.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10
SEC-619
Summary
Variables::get_user_information UAPI call could reveal sensitive information.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 4.3 CVSS3.1AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
The Variables::get_user_information UAPI call could reveal the cPanel API token for a linked cPanel account in plain text
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10
SEC-620
Summary
cPanel account takeover via API2 savecontactinfo.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 9.6 CVSS3.1AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Description
The CustInfo::savecontactinfo is available to webmail users but it takes a username argument that allows a webmail user to change the contact information for accounts that it should not have access to. This allowed a webmail user to change the contact email for the main cPanel account. With this, the webmail user could then reset the password for the cPanel account and thus gain access to it.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10
SEC-621
Summary
Sensitive information revealed by CustInfo::* API calls.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 4.3 CVSS3.1AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
It was possible for a webmail user to provide a username argument to the CustInfo::contactprefs and CustInfo::displaycontactinfo API calls allowing the webmail user to obtain sensitive information belonging to other webmail users and the cPanel account.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10
SEC-622
Summary
Fix reseller ACL restriction bypass for linked nodes.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 2.2 CVSS3.1AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
Description
When creating or editing a package adjustments to the package settings are made based on the package owner’s privileges. In a linked node setting, the command to create/edit the package is run as root so those adjustments do not get made. Save and reload the package locally so all the ACL-based adjustments can be made to the settings before sending them onto the remote nodes.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10
SEC-624
Summary
root privilege escalation via passengerapps REGISTER_APPLICATION call.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 7.6 CVSS:3.1AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Description
When registering a passenger application, it is possible to gain root privileges by registering an application with a script posing as a node/python/ruby interpreter in the attackers home directory. This fixes that by restricting the interpreters to either the system binaries or one provided by an EasyApache package.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10
SEC-625
Summary
Sanitizes domain name on manage dns zones page.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 2.5 CVSS:3.1AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
Description
Prevents XSS attack using lodash when using the manage dns zones page
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10
For the PGP-Signed message please see the linked document below.