-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR (TODO) Full Disclosure SEC-485 Summary Remote code execution via Exim filter path handling. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Description The handling of file paths constructed from email recipient addresses in cPanel & WHM's default Exim configuration did not adequately protect against path traversal attacks. In a default cPanel & WHM deployment, this behavior could be abused by authenticated attackers to execute arbitrary code on the server as other accounts. Abuse of this flaw by unauthenticated attackers was possible under some circumstances. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.88.0.3 11.86.0.21 11.78.0.49 SEC-491 Summary Bypass of SMTP greylisting restrictions. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Description Greylisting restrictions configured for the Exim SMTP daemon were not properly enforced for senders with embedded spaces. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.88.0.3 11.86.0.21 11.78.0.49 SEC-497 Summary Jailshell breakout via chsh. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Description Some utilities such as chsh and userhelper may regain their setuid bit during RPM updates. This allowed cPanel accounts configured with jailshell to change the account's login shell. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.88.0.3 11.86.0.21 11.78.0.49 SEC-549 Summary Insecure BIND RNDC credentials used in templated VMs. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Description The RNDC key configured in virtual machines spawned from cPanel VM images was not regenerated in the new instance. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.88.0.3 11.86.0.21 11.78.0.49 SEC-550 Summary Insecure Dovecot auth policy API key used in templated VMs. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Description The Dovecot auth policy API key configured in virtual machines spawned from cPanel VM images was not regenerated in the new instance. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.88.0.3 11.86.0.21 11.78.0.49 SEC-551 Summary Insecure Mailman site password used in templated VMs. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Description The Mailman site password configured in virtual machines spawned from cPanel VM images was not regenerated in the new instance. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.88.0.3 11.86.0.21 11.78.0.49 SEC-552 Summary Insecure SRS secret used in templated VMs. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N Description The Exim SRS secret configured in virtual machines spawned from cPanel VM images was not regenerated in the new instance. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.88.0.3 11.86.0.21 11.78.0.49 SEC-554 Summary Insecure chkservd test credentials used in templated VMs. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Description The authentication credentials used by chkservd to confirm system services are accepting logins were reused in virtual machines created from cPanel VM images. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.88.0.3 11.86.0.21 11.78.0.49 SEC-558 Summary World-readable permissions on proxy subdomains log file. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Description When accessing cPanel, WHM, or Webmail via a plain, unencrypted proxy subdomain URL, the webserver log file was created with world-readable permissions. This allowed local attackers to obtain any sensitive information or credentials passed in GET requests. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.88.0.3 11.86.0.21 11.78.0.49 SEC-561 Summary PowerDNS API keys set to predictable values during upgrades. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description During cPanel & WHM upgrades across major versions, the PowerDNS API keys were set to predictable values. A local attacker could misuse this behavior to read DNS secrets, modify DNS settings, or disable the DNS server. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.88.0.3 11.86.0.21 -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAl7CwG0UHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd8p3Q/+J/d01YfQmebLZBjfEoeudp0AokL9 Yaf2wpbJpeb/YUcLAxN+9v3ZuLWda/0MYbBb8T/JpDnJ1VnSe7TRcU8daxtkoxsy lL7GCMVgES6ufSldLpUl0KzzXcM79zFqNjNHXnvaUG3prhVwixSGEBL3c5cKi6BK sjMFFfTf+uEloxMDtSYC+U00pLccMSVcGQVr+I1LkS7AP/8yY2uhHvQrsYmVET/m Zkw3tvRFgubVgJmOT4SXntxZ8Ve3ZqMaG9A+4hJB3zRrrfkgr/W/BZuVO0X256aE jOXGH3kFVKYjL7g0ljRaeAvQJZyar059DAQbg01rYT9Xoh6wOzV9oAcpBeibeLUK JZO6kzKmLxdQZ90uVko5v7KwJNBWLlj0qQ8EYi1JxaCj/EKGwKk3jb3m67YWvzXZ olMiRw2u55sfGdCPO2eZCD1e05VOOG1Ej3rS9sSYFkLrqsmYtnj4wJzbF0RMAr+5 5SImDXElKxTNdaal1jW+nJ/qXhu7xkk/Xu3NgTIivi9X37vJKMwwLw/5jGDkSUbT gC60T0rNX4+BazRuOvmZni5f2hUe7XAoGg8GcS9WtbppgSY6oTWFGEHq0ysbg71v 0eEoUTO5hJiCtYNWohbpE40lGDRRO91GBiIiMUuGigqw7ck0edrSzxVni2bdV+Ct 706+f3hySJ5HAOw= =BvAR -----END PGP SIGNATURE-----