Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1203
A number of vulnerabilities have been identified in cPanel
4 September 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: cPanel
Publisher: cPanel
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Existing Account
Access Privileged Data -- Existing Account
Modify Permissions -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
Original Bulletin:
http://cpanel.net/wp-content/uploads/2013/08/TSR-2013-0009-DetailedDisclosure.txt
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
TSR-2013-0009 Detailed Disclosure
The following disclosure covers Targeted Security Release TSR-2013-0009, that was published on August 27th, 2013.
Each vulnerability is assigned an internal case number which is reflected below.
Information regarding the cPanel Security Level rankings can be found here:
http://go.cpanel.net/securitylevels
Case 73377
Summary
An account's cpmove archives were world-readable in the /home directory with 644 permissions during packaging.
Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.
Description
The cPanel and WHM account transfer process created a temporary cpmove
archive in the /home directory with 644 permissions. This allowed a local
attacker to read the private contents of another user's home directory
and configuration settings while the transfer operation was in progress.
The world-readable cpmove file was left accessible for a longer period
of time when the account transfer process failed and required manual intervention.
Credits
This issue was reported by Rack911.com.
Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater
Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.
Case 73581
Summary
The improper sanitization of user input when adding an Addon Domain could allow a local DoS of the web server.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
While creating a new Addon domain, a cPanel user account could specify a
DocumentRoot for the new addon that would be misinterpreted by Apache as
a nonsensical httpd.conf directive. This vulnerability could be used by
a malicious local attacker to corrupt the global httpd.conf file and
make it impossible to restart the Apache web server.
Credits
This issue was reported by Rack911.com.
Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater
Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.
Case 73605
Summary
The account rearrange feature of WHM could be used in an unsafe way, potentially leading to a compromise of a system's security.
Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.
Description
WHM resellers with the "Rearrange Accounts" ACL could change the
permissions on arbitrary file paths by moving accounts they
controlled into sensitive filesystem locations and invoke other
automated systems, which assumed these locations were not under any user
account's control. The "Rearrange Accounts" ACL is a part of the a "Super Privs" ACL group,
which restricts access to WHM operations that may be used to bypass many normal Reseller
access restrictions.
Credits
This issue was reported by Rack911.com
Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater
Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.
Case 73773
Summary
cPanel, WHM and Webmail session files contained plaintext passwords.
Security Rating
cPanel has not assigned a Security Level to this issue as we feel this is only a hardening measure.
Description
The session files in /var/cpanel/sessions contained plain text passwords for recently logged in users. The session files were correctly secured so that only the root account on the system could read their contents. We have added additional obfuscation of the plaintext passwords, so that any attacker who compromises the root account on the system will not have the ability to reconstruct the plaintext passwords from the session files.
Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater
Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.
Case 74521
Summary
Resellers with the locale-edit ACL could overwrite any file on the system.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
Resellers that were able to install locale data from uploaded XML files could overwrite any file
on the disk with data provided in the XML file. This could be used to gain privilege escalation to root.
Credits
This issue was reported by Rack911.com.
Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater
Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.
Case 75569
Summary
The unsuspend function makes changes to webDAV user files that could unsuspend a suspended user on the system.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
The process of unsuspending a suspended account did not perform proper checks on the ownership and location of the virtual account password files. This flaw allowed a malicious reseller account with the "(Un)Suspend" ACL to unsuspend arbitrary accounts on the system.
Credits
This issue was reported by Rack911.com.
Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater
Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.
Cases 68205, 71701, 71705, 71709, 71721, 71725, 71733, 75169, 75413, 75417, and 75605
Summary
Multiple vulnerabilities in the cPAddons Site Software subsystem.
Security Rating
cPanel has assigned a range of Security Levels to these vulnerablities from Minor to Important.
Description
The cPAddons Site Software subsystem provides a suite of web application
software that individual cPanel user accounts may install into their
domains. The subsystem also provides interfaces in WHM where the root user
may configure the list of web applications that are available for
installation, configure which web applications require root's approval
for installation, and perform the installation of moderated cPAddons.
This subsystem was vulnerable to a variety of attacks by malicious local
cPanel accounts and malicious WHM reseller accounts. The vulnerabilities
included flaws in the ACL enforcement logic of the WHM interfaces that
allowed non-root resellers to use the WHM interfaces and stored XSS
attacks that a cPanel account could conduct against the root user. The
moderated cPAddons install logic included further vulnerabilities that
would allow a malicious cPanel user to execute arbitrary code as any
other account on the system.
Credits
These issues were discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater
Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.
Case 71265
Summary
The autoresond.pl script was vulnerable to shell injection.
Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.
Description
The cPanel autorespond script is used by cPanel and Webmail accounts to
send vacation notices when the user is unavailable to answer their
email. An input sanitization flaw in this script allowed a malicious
local cPanel account to bypass other account restrictions, such
as jailshell, while executing arbitrary code.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
This issue was not introduced into the autoresponder.pl code until 11.38, 11.36 and prior are not vulnerable.
Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.
Cases 74609 and 75113
Summary
The NVData module lacked proper sanitization, which allowed overwrites of files and path traversal.
Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.
Description
The WHM interface uses an NVData subsystem to persistently store some
settings of the web interface. This subsystem did insufficient
validation of its inputs, allowing a malicious local reseller to corrupt
NVData files belonging to other users and read files outside of the NVData
subsytem. These flaws potentially allowed the reseller to change
ownership and permissions settings on arbitrary files.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater
Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.
Our GPG key is available at: http://go.cpanel.net/gnupgkeys (ABD94DDF)
The cPanel Security Team can be contacted at: security@cpanel.net
- -----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJSH+MGAAoJEJUhvtyr2U3fyOwQAJHrxb6vIFoLzhqriYhdOQ3C
4f1nKyobqTCoX6+ofta050Rnc8FTcPb7pz4nHVTUZSjlYJ5XE0Vn1tu8ngg43nJI
cmGh3Hd9aqJMxqiHtZzCSISQyyEXZZ0cGzKxdr4pieSZdCCIlWX8F/rmVelCykya
gUqV+Wj6BkBczhnQ/IpE2gkga0QyvV4bs7IiuL3XnNr6JTpv/P/atRJILo3ZrjtD
Sohys2r27j5MBkJWOEhnJRrHu/pSLXutc3M+Ve1r4+lRtalia7xYyIBQDiJ6BosX
wgyGR91rlcAPcHTn5bz10eGitrGggCy4+Lg1a20/s7ZgOk3fni9oO4SSGEkFcpMK
XSI4R+H+HnZHnNry7kp39COM/x/fD7n3+1CavFbH2QR+L7KmbDfzbqyPzWMdmhbT
XhXC/15xCsbdO3y4CEFcGn+swFJw/mHZhRlfwDup61EGZvgl3eX9fG10PGJTDvb7
Lv6gwyY7Q+M/NDHfHHISOxlehNg+gPCrgLZxwIaS+SLoSSEu5NbE05h74gJ1TfVS
e9xb4KwkdaVTLTA2SmJXDvSltHcaOPclQ+n3JuGgXVm7PvpmmvTVukbPxDAX1g6l
rbd0xtYoWyDyKtt45HaeTDyTtTp3gfAXCngp9drsgmE7Tt1c27C4Rl1t0oQsNf1o
uTkomBeRNGl+9FVjpoxq
=7hpG
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUiaj8BLndAQH1ShLAQIeAA/8CHa+qgBX5JTX0eM1KXpC3hSV/fOA6HT/
cSLsFy9UIo18fuz4vJ9TzhKRRS/poxY1iX7zBAplAqP/vLihDjGytmF/E20pwZYh
P2Rt5Q/EvzDTBk2porKtjyjglhOAJB6OOxTN81naTPjh0KedOZySRQ6CPHWoJCV9
fY/XHAyAitGTg6tyLUQ3yip3cVx56sxo0CzxMZ5XoFgBSI95e+VQqG267KMUIXW1
J+tIvRmztvmnv8tl6goSkNDGsjm0kPInRi7qAHBgAF5vL8x8McAQfBABu2nfeyml
7Boh0pyHVM4WGNyCuoQxJnHBzqSpFkABOk6pOZc5G3fnPcTUesMrWxNut5PRtD+m
02XVCRq6jaEIJ85l4ZY6PmwQcy2MtEFR4wXLP2pA2fBomkJ2lOMe/U+awne+Phoq
uWtqrS6m8rra6to1ZzMWhfhWPyJtqAAQK3jF2ahauzTXAD38pRHK0ZbYh8Jo1E/8
bjjVvaZUfIrLD57ov9J2kz2OMsq+nWdigb1DH8FlhbIpDwZyj4M7eN6t6ROHTX4O
j5sUnydhCGSnJ2hICQCw3wlhPW3fDFjHpUNqlIwFa1iJsvDDzmxNu30BS0GfHLRE
P01WUfICNDdsTQbN648dmeB0MEyLWdxY/I74hXxNMWoQypvSjSlZDSgjzmjqm2d5
+bzQnMp8yqY=
=082F
-----END PGP SIGNATURE-----