Newsroom

cPanel TSR-2022-0001 Full Disclosure

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

SEC-594

Summary

Avoid usage of predictable PostgreSQL socket in /tmp.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N

Description

When installed, PostgreSQL uses a predictable socket in /tmp. It is possible for an unprivileged user to replace this socket with a socket to a process that they control.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10

SEC-607

Summary

Disable liveAPI system for accounts in demo mode.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Description

It is possible for arbitrary code to be executed via the liveAPI system when an account is in demo mode.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10

SEC-610

Summary

Escapes alert messages on manage git repo page.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 2.6 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

Description

If an alert message on the manage repo page had a string wrapped with < >, the alert would render it as an HTML element. This message is now properly escaped and shows as plain text.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10

SEC-613

Summary

Ensure privilege check also covers reseller without domain creation.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of Sev-D

Description

Account creation requires root privileges to specify certain options, including homedir. The code branch to create a reseller without a domain was being invoked before this check. By placing the check before it, we can ensure that it covers the case where we are creating a reseller without a domain. Allowing a non-root reseller to specify an arbitrary home directory such as /usr/local/cpanel/Cpanel/Admin/Modules can allow them to stage perl modules of their own for execution as root.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.102.0.5
11.100.0.10

SEC-615

Summary

Failed linked node account creation leaves account on mail node.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 3.0 CVSS3.1AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N

Description

When creating an account with a linked mail node, the account is created on the mail node before it is created on the control node and before all validation checks are complete. This can lead to the account failing to create on the control node after it has been created on the mail node.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10

SEC-617

Summary

Demo mode status does not propagate to child nodes.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 2.6 CVSS3.1AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N

Description

Enabling demo mode on an account that is linked to a child node does not propagate the status to the child node. This allowed an ftp user to make changes on the child node that could lead to remote code execution.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10

SEC-619

Summary

Variables::get_user_information UAPI call could reveal sensitive information.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 4.3 CVSS3.1AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

The Variables::get_user_information UAPI call could reveal the cPanel API token for a linked cPanel account in plain text

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10

SEC-620

Summary

cPanel account takeover via API2 savecontactinfo.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 9.6 CVSS3.1AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Description

The CustInfo::savecontactinfo is available to webmail users but it takes a username argument that allows a webmail user to change the contact information for accounts that it should not have access to. This allowed a webmail user to change the contact email for the main cPanel account. With this, the webmail user could then reset the password for the cPanel account and thus gain access to it.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10

SEC-621

Summary

Sensitive information revealed by CustInfo::* API calls.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 4.3 CVSS3.1AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

It was possible for a webmail user to provide a username argument to the CustInfo::contactprefs and CustInfo::displaycontactinfo API calls allowing the webmail user to obtain sensitive information belonging to other webmail users and the cPanel account.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10

SEC-622

Summary

Fix reseller ACL restriction bypass for linked nodes.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 2.2 CVSS3.1AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N

Description

When creating or editing a package adjustments to the package settings are made based on the package owner’s privileges. In a linked node setting, the command to create/edit the package is run as root so those adjustments do not get made. Save and reload the package locally so all the ACL-based adjustments can be made to the settings before sending them onto the remote nodes.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10

SEC-624

Summary

root privilege escalation via passengerapps REGISTER_APPLICATION call.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 7.6 CVSS:3.1AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Description

When registering a passenger application, it is possible to gain root privileges by registering an application with a script posing as a node/python/ruby interpreter in the attackers home directory. This fixes that by restricting the interpreters to either the system binaries or one provided by an EasyApache package.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10

SEC-625

Summary

Sanitizes domain name on manage dns zones page.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 2.5 CVSS:3.1AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N

Description

Prevents XSS attack using lodash when using the manage dns zones page

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.94.0.23
11.102.0.5
11.100.0.10

For the PGP-Signed message please see the linked document below.