The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel Security Team: exim CVE-2016-1531

Discussion in 'cPanel Announcements' started by cPanelCory, Mar 2, 2016.

  1. cPanelCory

    cPanelCory Developer - cPanel Security Team
    Staff Member

    Jan 18, 2008
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    cPanel Security Team: exim CVE-2016-1531

    Background Information

    On Wednesday, March 2, 2016, Exim announced a vulnerability in all versions of the Exim software.


    According to Exim development: "All installations having Exim set-uid root and using 'perl_startup' are vulnerable to a local privilege escalation. Any user who can start an instance of Exim (this is normally *any* user) can gain root privileges."


    The following versions of cPanel & WHM were patched to have the correct version of Exim. All previous versions of cPanel & WHM, including 11.48.x and below, are vulnerable to a set-uid attack on Exim.
    EDGE 11.55.9999.106

    How to determine if your server is up to date

    The updated RPMs provided by cPanel will contain a changelog entry with the CVE number. You can check for this changelog entry with the following command:
    rpm -q --changelog exim | grep CVE-2016-1531

    The output should resemble below:
    - - Fixes CVE-2016-1531

    What to do if you are not up to date

    If your server is not running one of the above versions, update immediately.

    You can upgrade your server by navigating to WHM Home > cPanel > Upgrade to Latest Version and clicking "Click to Upgrade" (Update Preferences - Documentation - cPanel Documentation)

    Alternatively, you can run the below commands to upgrade your server from the command line:
    /scripts/check_cpanel_rpms --fix --long-list

    Verify the new Exim RPM was installed:
    rpm -q --changelog exim | grep CVE-2016-1531
    The output should resemble below:
    - - Fixes CVE-2016-1531

    What has changed

    Exim now provides two configuration options which limit what environment variables are available to Exim and all of its child processes. The variables are keep_environment and add_environment. For the initial release with this feature, cPanel will be setting the variables as follows in all supported cPanel & WHM systems. These values can be modified in the Advanced Configuration Editor if necessary, though we advise caution on adding too many variables to keep_environment.

    keep_environment = X-SOURCE : X-SOURCE-ARGS : X-SOURCE-DIR
    add_environment = PATH=/usr/local/sbin::/usr/local/bin::/sbin::/bin::/usr/sbin::/usr/bin::/sbin::/bin

    Additional Information

    CVE: CVE - CVE-2016-1531
    Initial Public Disclosure: [exim] Security release for CVE-2016-1531: 4.84.2, 4.85.2, 4.86.2, 4.87 RC5
    Documentation: CVE-2016-1531 Exim - cPanel Knowledge Base - cPanel Documentation

    For the PGP-Signed version of this announcement:
    #1 cPanelCory, Mar 2, 2016
    Last edited: Mar 3, 2016

Share This Page