-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2019-0006 Full Disclosure SEC-499 Summary Authentication bypass due to variations in webmail username handling. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description The process used to normalize and validate webmail account names was not consistent across different authentication subsystems. Because of these discrepancies, authenticated cPanel users could gain access to other cPanel and Webmail accounts on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.84.0.10 11.82.0.18 11.78.0.43 SEC-508 Summary Account suspension bypass via virtual mail accounts. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N Description The authentication logic for some subsystems relied entirely on data stored in the cPanel account's home directory for the enforcement of account suspensions. A cPanel user could take advantage of this behavior to retain access to virtual email accounts after the user's system account was suspended. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.84.0.10 11.82.0.18 11.78.0.43 SEC-516 Summary Authentication bypass due to faulty password file format parsing. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description The functions in cPanel & WHM that handled password and shadow file lookups did not enforce the constraints of this file format. This behavior could be misused by authenticated attackers to gain access to other accounts on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.84.0.10 11.82.0.18 11.78.0.43 SEC-520 Summary Self-XSS due to faulty JSON string escaping. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description The escaping method used for some JSON string interpolation in cPanel & WHM interface templates did not escape all possible character combinations unambiguously. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.84.0.10 11.82.0.18 11.78.0.43 SEC-525 Summary Cpanel::Rand::Get can produce predictable output. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Description When the /dev/urandom device is not initialized, Cpanel::Rand::Get initializes Perl's random number generation with data from the server's environment. This data could be predictable and when used as a seed, could cause predictable random numbers to be generated. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.84.0.10 11.82.0.18 11.78.0.43 SEC-531 Summary MySQL dump streaming allowed reading all databases. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Description The MySQL database dump streaming functionality passed database names to the mysqldump binary in an ambiguous fashion. An authenticated attacker could misuse this behavior to read all databases on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.84.0.10 11.82.0.18 SEC-532 Summary Root chown on arbitrary paths in cPanel log processing. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Description When processing logs to calculate bandwidth, symlinks to the processed logs are created in the user's home directory. An attacker can intercept this process to cause the ownership of an arbitrary file to be changed to the attacking user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.84.0.10 11.82.0.18 11.78.0.43 SEC-533 Summary Stored XSS Vulnerability in WHM Backup Restoration. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Description Error messages displayed in the WHM Backup Restoration interface were not adequately encoded. Due to this, it was possible for an attacker to inject arbitrary code into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.84.0.10 11.82.0.18 11.78.0.43 SEC-534 Summary WebDAV authentication bypass due to faulty connection sharing logic. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Description Client authentication was not validated correctly when multiple WebDAV clients connected to the cpdavd daemon through a proxy server. Subsequent requests in a keepalive connection could inherit the authentication of prior requests. Credits This issue was discovered by Martin Rouf. Solution This issue is resolved in the following builds: 11.84.0.10 11.82.0.18 11.78.0.43 For the PGP-signed message, please see: https://news.cpanel.com/wp-content/uploads/2019/11/TSR-2019-0006.disclosure.signed.txt. -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAl3S16YUHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd8nMA/5Ae6AZ8af27Gqe4X6ylUF8gmlxaab wCcyMICH8+Sp+R8IrGZYe7tJVEJvqJPGMCeXz48R6sXwQW5qpnbSW/j/05YOJc0Y UzecsotKVm0XcLj5DQReZGuHLH82sgODrHd8LB4NJoS4DRvwdHLHmhsmfJ6ex3df ciUzumkkMTuWL/aD+WfaRZxfMsGfPC4kc5AyuwK2BUJ8cKw3CI2DpaPY3N2MPuQD Goijtab0+1kc9niDetoedV9Jpq14gXx3DjNQ9iJlL+jjGRIXTFkheWMbdo6piSUE AooVOMUN4BXHJ5oMcihWCBr2JLOKQMy2Mv9ha6Ub9zOeHUbfePczH8vSWkGbave7 t4KX4NAzhCiaPI0hXIKxoFuCz1bzUH5w2ElxrIAkHS8vbfdN+lANkZl8+wVOe8zV n9iiPR0a5TXDhp16XQdI/myxO8/OWhHqHU6JFQdwfVqJ/2d5DtVG48tpRwQcwkwx FWN5LguT256Q+hHv5fp5zG8xK8z0PzmFiN+azcknALa8SPoXHLI04hqb7stRENP5 jENQ61O8KVNdqOzr9pLfCbTM0bpaCSNqYQsdamteudD5gg5Oof366urpAGeRw47z XqJDyIRBwVINmjgp0p44H01zeaW028tJFr4l1RO1y9CeL/zn5wjTQUyn3d8OcnF8 hLZRYK9GJyvnAiM= =kKyu -----END PGP SIGNATURE-----