-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

In December 2016, the cPanel Security Team became aware of potential vulnerabilities in cPanel & WHM following an investigation of the hints provided in the Shadow Brokers / Equation Group leaks. During our investigation, we found several vulnerabilities in cgiecho and cgiemail, one of which could be leveraged for remote code execution as an unprivileged user, and patched the vulnerabilities in the first TSR release of 2017 (TSR-2017-0001).

Following the additional public disclosure by the Shadow Brokers on April 8 2017, we are able to confirm that the exploit ElegantEagle was utilizing the since patched cgiemail format string injection vulnerability (CVE-2017-5613). All versions of cPanel & WHM 54 and newer were successfully patched in January 2017. We are also able to confirm the other exploits referenced in the leaks (ElatedMonkey, EndlessDonut) were independently discovered and fixed in previous updates.

Additionally, we plan to discontinue support for cgiemail and cgiecho, primarily because it has been abandoned by its upstream author and various design issues. This software will be removed in future updates of cPanel & WHM.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5613
https://news.cpanel.com/tsr-2017-0001-full-disclosure/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJY971fAAoJEJUhvtyr2U3foXQQANMsjnG80MHTdpvn+QZkxQMr
la8v+cBx5kdiqSuYrMbNwVPOasKjHaVHxlC9Z0K2m26v10IBuykygF3RNqI30tc3
Fa5GWcNMoChg3KZt3zakuHGqI9aSJm+PnW8/zppfCDyIS04uKTAQ3+8QtiIl9YbE
PXMNS1XhmbuWnMyGXoAmtL6Wit7Cn9qL8PbfL1FiCpc3GVLobi4LQ9haixgqPhdt
hI01vIcGq9y+w3mndu7EEn6Or4d1b5KrGKxbqhiVfx67OjjvVYE36aKXPRoZwDHM
McqzxxspEUpcjZh4zGe1hA4Ee0POyokTIZee3UvuofoYRJjA7AFrExOcUXFyXRpR
exHFhHAlHFvyqZHlSQfpeb+ii1IlkEZkczE8RcSF9D3px31EEfV/iyXmw2ZLAHNC
3xblj2wqefF1C4dmucwazxEpLWEirtVhwbbO2rNWqo2yg6858FoBLIIFgx/pUReM
stbaFLSf0hcdos4XqEPJGILFPqIJOI+oL1VDi0Qbr146IsSj/CzOXAxPgC5uwRWO
M5ERwrDuPBD0bXVu52vYJ8KAeRndtO0mVG5REE5OnGJiBSN4os/G5a4STdgehOxJ
1GZbGZCcCQK7tu7BOoHospiyEewaM8BThAZ3ni6R7Xahb9JR84Z4loR+GPP/jDyg
7HRxxfwH+tCrfcX1iRgF
=IpZ4
-----END PGP SIGNATURE-----