Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED PCI compliance report issues

Discussion in 'Security' started by ehask71, Dec 30, 2017.

Tags:
  1. ehask71

    ehask71 Well-Known Member

    Joined:
    Jul 13, 2007
    Messages:
    62
    Likes Received:
    5
    Trophy Points:
    58
    Location:
    Tampa, Florida, United States
    cPanel Access Level:
    Root Administrator
    ProFTPD version 1.3.5B is vulnerable -- ProFTPD CVE-2017-7418 Local Security Bypass Vulnerability
    "ProFTPD is prone to a local security-bypass vulnerability.

    An attacker may exploit this issue to bypass certain security restrictions and perform unauthorized actions.

    ProFTPD prior to 1.3.5e and 1.3.6 prior to 1.3.6rc5 are vulnerable."

    OpenSSH 7.5 is vulnerable --- CVE-2017-15906

    The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    1. As I understand, the "AllowChrootSymlinks" ProFTPd configuration option is enabled by default. The report referenced on the URL below notes a bug that applies to systems where "AllowChrootSymlinks" is turned off:

    CVE - CVE-2017-7418

    Thus, by default, your server should not be affected by this bug. That said, I've opened internal case CPANEL-17794 to request an update to the ProFTPd version we distribute with cPanel. I'll monitor this case and update this thread with more information as it becomes available.

    2. cPanel does not distribute the OpenSSH package. It's provided by your OS (e.g. CentOS). You can update your system packages to the latest versions offered by your OS with the "yum update" command, however it doesn't look like CentOS distrubutes OpenSSH 7.6 with the corresponding bug fix at this time:

    Bug 1506630 – CVE-2017-15906 openssh: Improper write operations in readonly mode allow for zero-length file creation

    That said, note the analysis of this bug:

    Additionally, it only applies to systems with SFTP configured in read-only mode, which isn't a default configuration.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    To update, the updated version of ProFTPd is included in cPanel version 70:

    Fixed case CPANEL-17794: Update proftpd to 1.3.6-1.cp1170.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice