Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel TSR-2017-0006 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelJackson, Nov 21, 2017.

  1. cPanelJackson

    cPanelJackson Release Manager
    Staff Member

    Joined:
    Aug 12, 2010
    Messages:
    40
    Likes Received:
    11
    Trophy Points:
    133
    cPanel Access Level:
    Root Administrator
    cPanel TSR-2017-0006 Full Disclosure

    SEC-306

    Summary

    Unreserved email address used in DNS zone SOA records.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

    Description

    When a contact email address for the system was not configured, the default RNAME value in DNS zone SOA records was set to an unreserved account name. This account name is now reserved and "root" is used as the default for new zones.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-309

    Summary

    Home directory backups written to incorrect location.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

    Description

    A remote backup mount that became temporarily unresponsive could cause the user home directory backup to be written to the current directory when the backup system was configured to use incremental backups.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-310

    Summary

    Jailed accounts could restore files that are outside the jail.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

    Description

    A jailed cPanel account could create files in their home directory that the backup process would follow outside of the jailshell, allowing restricted files to be copied into the backup.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-311

    Summary

    Unprivileged users can access restricted directories during account restores.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

    Description

    During the account restore process, under some circumstances, root changes the current directory to the user's home directory. A malicious user could abuse this behavior to access restricted directories.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-313

    Summary

    Arbitrary code execution via Maketext injection in PostgresAdmin.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 8.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

    Description

    Under certain error conditions it was possible to inject user-supplied input into Maketext format string during PostgreSQL database creation, allowing arbitrary code execution as root.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-314

    Summary

    Arbitrary code execution via Maketext injection in Reseller style upload.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 8.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

    Description

    When a reseller uploads a custom style tarball, the list of files included in the tarball are checked for invalid filenames. If this validation fails, the offending filename is used as part of a Locale::Maketext format string. By crafting a malicious tarball, it was possible for a reseller to execute arbitrary code as root.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-315

    Summary

    Jailshell fails to set umask before peforming sensitive file operations.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 8.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    Description

    The jailshell and jailexec binaries failed to set the umask() before performing sensitive operations during the jail setup. This behavior was exploitable to run arbitrary code as root or read secret files.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-318

    Summary

    String format injection vulnerability in dovecot-xaps-plugin.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 6.0 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

    Description

    The cPanel patches to the dovecot-xaps-plugin add an additonal call to the i_info() function to generate dovecot log messages. This function behaves in a similar manner to printf(). Rather than specifying a format string as a first argument, we pass in user controllable data. This allowed for the user to pass in arbitrary format strings, resulting in reading of arbitrary memory and code execution.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42

    SEC-322

    Summary

    Code execution as root due to loose permissions on incremental backups.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 8.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    Description

    During an incremental backup, the user account had access to the homedir directory inside the account's backup directory. This allowed the user to execute files that had switched to root ownership during the backup process.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-323

    Summary

    Backup files are briefly world-readable.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

    Description

    When creating backup archive files there was a small window where the permissions of the archives would be world-readable. This allowed for unprivileged users to copy the contents of other user's backups.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-325

    Summary

    PostgreSQL databases assigned to multiple accounts caused collisions.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N

    Description

    A refactoring error opened the possibility of two different cPanel accounts being assigned ownership of a PostgreSQL database when they attempted to create it at the same time. Ownership is now assigned only to the account that successfully created the database.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42

    SEC-326

    Summary

    Add 'postmaster' to the list of reserved usernames.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.4 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

    Description

    It was possible to intercept certain emails intended to be delivered to root by creating an account with the 'postmaster' username. This account name has been added to the reserved usernames list.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-327

    Summary

    Expand the list of reserved usernames.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.4 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

    Description

    The server contract email address for accounts uses the webmaster username which was not restricted for account creation. This could lead to a reseller intercepting emails intended to be delivered to other accounts. All email aliases listed in /etc/aliases and /etc/localaliases are now reserved usernames.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-328

    Summary

    Add 'ssl' to the list of reserved usernames.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.4 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

    Description

    When creating SSL certificates, 'ssl@hostname' is used as the contact email in the certificate. The 'ssl' username was not reserved, allowing resellers to intercept emails sent to this address. The 'ssl' username is now disallowed for account creation.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-329

    Summary

    Arbitrary file read via Exim vdomainaliases.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

    Description

    When processing the vdomainaliases file for a domain, Exim was running as the root user. An attacker could leverage this behavior to read the contents of arbitrary files on the system.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-330

    Summary

    Preserve permissions for local backup transport.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

    Description

    When copying backup files using the 'Additional local directory' backup transport, the original backup file permissions were not preserved. This allowed backup files to be created with world-readable permissions.

    Credits

    This issue was discovered by Rack911labs.com.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-331

    Summary

    DnsUtils allows zone creation on hostname and account subdomains.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

    Description

    When adding a DNS zone, Cpanel::DnsUtils::doadddns() did not check to ensure that the added domain is not the hostname or a subdomain of domain belonging to another user. This allowed a reseller to intercept potentially sensitive information.

    Credits

    This issue was discovered by Rack911labs.com.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-332

    Summary

    Root crontab visible when enabling or disabling sqloptimizer.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

    Description

    When enabling or disabling the sqloptimizer feature root's crontab was briefly exposed to unprivileged users.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-333

    Summary

    Local root code execution via cpdavd.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 8.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    Description

    Under certain circumstances, when cpdavd processes requests, the service will attempt to lazy load Perl modules for various functionality. If this is done after cpdavd changed the root directory, it was possible for an attacker to execute arbitrary code as the root user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-334

    Summary

    User accounts partially created with invalid username formats.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.6 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N

    Description

    Attempting to transfer, restore, or rearrange a cPanel account with a username composed entirely of numbers and symbols could result in partial account creation and cause mail delivery to run as the wrong user. Usernames in this format are now prohibited, along with usernames containing uppercase characters.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-336

    Summary

    Stored-XSS vulnerability via cpaddons moderated upgrade.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

    Description

    It is possible to coerce a cPAddon upgrade to occur when an install was intended via the moderated installs feature of cPAddons. When obsolete files are removed from the installation, a file listing isgiven. These file names were not adequately encoded in the listed output. This allowed for an attacker to inject arbitrary code into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-337

    Summary

    Code execution as 'nobody' account via Mailman archives.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

    Description

    Accounts created with the 'mbox' TLD could collide with other domains in the Mailman archive directories. This allowed the creation of files with restricted file extensions, and code execution as the webserver user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-341

    Summary

    Domain data can be deleted for domains with 'lock' TLD.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

    Description

    Domains that use the 'lock' TLD conflict with the standard naming scheme for cPanel 'safelock' files. This behavior allowed attackers to delete domain-named files in some limited circumstances.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    SEC-345

    Summary

    Arbitrary file read in backup htaccess modification logic.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

    Description

    On systems configured with EasyApache 4, the htaccess files of accounts are modified in the backup to remove the PHP handler settings. The method used to perform these modifications was vulnerable to time-of-check-time-of-use attacks that could be used to store arbitrary files into the user's backup tarball.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.15
    66.0.34
    64.0.42
    62.0.35

    For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2017/11/TSR-2017-0006.disclosure.signed.txt
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Sametto Chan likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice