The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

openSSL vulnerabilities?

Discussion in 'General Discussion' started by websnail.net, Mar 31, 2005.

  1. websnail.net

    websnail.net Active Member

    Joined:
    Mar 24, 2002
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    My own semi-dedicated server is currently being attacked with a subtle exploit which we're trying to track down and it seems that OpenSSL and/or Mod_SSL is the likely point of entry and yet despite multiple updates to OpenSSL it seems Cpanel is still using old versions of either 0.9.6 or 0.9.7..

    Please could the coding team check out the current issues and see if the slowly increasing number of incidences of a code injection that tries to propogate the byteverify trojan is in fact related.

    References:

    http://www.webhostingtalk.com/showthread.php?s=&threadid=387710&perpage=20&pagenumber=1

    http://www.openssl.org/news/

    http://www.openssl.org/news/secadv_20020730.txt

    http://www.openssl.org/news/secadv_20030219.txt

    http://www.allthefaqs.net/forum/viewtopic.php?p=33063#33063

    http://www.spywarewarrior.com/xpire-splitinfinity-serverhack_malwareinstall-condensed.pdf



    I'm aware that my host is probably raising this elsewhere but I'm pretty sure we're not alone here thanks to references on WHT and from looking around...

    Thanks in advance for any help or input on this lot because right now it's just plain crazy.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You should address such concerns to security@cpanel.net if you have not done so already. AFAIK, openssl is simply installed from the OS vendors distribution, so if you're running on a supported OS one would hope that they have any issues covered. However, if you run an obsolete or EOL OS (<=RHE9, FC1, FC2, etc) then you should make sure that you have kept up to date with your application security updates. IIRC, cPanel users mod_ssl directly from the developers release when building apache.
     
  3. websnail.net

    websnail.net Active Member

    Joined:
    Mar 24, 2002
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    If I'm reading this right, you're saying that CPanel will only use those versions of a distro that come under the original release for that version... ie: for RH8 it'll only go as high as 0.9.6b whilst Fedora C1 will go to 0.9.7a...

    No offense but that negates the whole reason for me wanting to use Cpanel to build my apache for me... After all what's stopping a source build of later versions? Apache, php, etc.. do seem to be getting built from source after all...

    I am something of a n00b when it comes to how Cpanel handles things and in fairness to many things Linux as well... but certainly this sort of thing does seem core to me understanding just how vulnerable my system is.. when I'd assumed that CPanel wasn't inaccurate when saying that there were no security issues with the version I am using.

    Not to put too fine a point on it... but if that's not the case then I'd sure like to know that now... not later.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That is certainly my understanding of how it works and it is perfectly correct. cPanel is not an OS, it is a control panel that sits on top of it. You, as the server administrator, have to install, configure and manage your operating system and the applications and libraries for it. cPanel's job is to make it easier for you to install OS vendor apps and run a web host, no more.

    If you decide to run an unsupported and EOL OS, that's your responsibility ;)
     
Loading...

Share This Page