Possible Horde Vulnerability

[vince512]

I have been hearing reports from various sources that there may be a serious vulnerability in Horde webmail to where a server can actually be rooted.

I have checked with my cPanel provider and they haven't heard anything, and I checked google and so far I have seen two web hosts post in their forums that they are disabling horde due to an undocumented vulnerability.

Has anyone else heard anything about this or can confirm this?

 

[hm2k]

Can you provide at least one source?

 

[jpetersen]

I have been hearing reports from various sources that there may be a serious vulnerability in Horde webmail to where a server can actually be rooted.

I have checked with my cPanel provider and they haven't heard anything, and I checked google and so far I have seen two web hosts post in their forums that they are disabling horde due to an undocumented vulnerability.

Has anyone else heard anything about this or can confirm this?

What are the 2 links to the posts in the forums you mention?

 

[gottabekidding]

Hm, I have not heard that it was able to commandeer root access.
There is most certainly a horde exploit being pushed around in the wild but it's only allowing cPanel access to the user exploited.

 

[jpetersen]

Hm, I have not heard that it was able to commandeer root access.
There is most certainly a horde exploit being pushed around in the wild but it's only allowing cPanel access to the user exploited.

To clarify, what you're saying is that the current Horde exploit can be used to leverage cPanel access against the user, is that correct? Have you reported this to cPanel? Is this bug specific to cPanel servers?

 

[vince512]

Again, it may be just me being paranoid...but I just want to make certain that I did not miss something that I may wind up paying for later. The posts I found is below...only one forum talks about the vulnerability being able to root any machine running horde in cpanel:

The two forums I found in the google search:

This one actually stating the vulnerability:

http://forums.hostgator.com/showthread.php?t=28888&goto=newpost target=

This one disabled today when searching google again this morning, but did not give a reason yet:

http://dotable.com/dotable-announcement-forum/1882-horde-webmail-disabled.html

Again, I just want to make certain, if this is not the case great, but if it is, then we want to make sure that we follow suit on our servers and disable it until the next update of horde.

Hm, I have not heard that it was able to commandeer root access.
There is most certainly a horde exploit being pushed around in the wild but it's only allowing cPanel access to the user exploited.

So someone can still at least access someone's account and access there files? Then maybe we should disable horde on our boxes until the fix.

 

[jpetersen]

Thanks vince512, I really appreciate the info, as I'm sure others do too.

Apparently root access can in fact be leveraged through the bug (start edit I have no proof of this myself, and I'm not entirely convinced that escalating to root is possible, simply due to lack of information end edit), and according to one cPanel staff member, disabling Horde will mitigate the current threat. cPanel is aware of and working on the issue at this time. That's all the information I have.

 

[cPanelNick]

cPanel has collaborated with one of our partners to work to patch a security vulnerability in the Horde webmail application. HostGator has graciously provided information which will help facilitate our creation of a patch. As soon as the patch has been completed and tested it will be deployed to all cPanel builds. The completed patch will also be sent to the Horde Project (http://www.horde.org) for inclusion within the Horde codebase.

At present, we can confirm that this security vulnerability in question affects Horde 3.1.6 and earlier. Based on incomplete information at this time, we also believe this affects Horde Groupware 1.0.4 and earlier as well (cPanel does not use Horde Groupware at this time). We recommend anyone using Horde or Horde Groupware disable it until the patch has been released. Since this vulnerability is contained in the stock Horde distribution and not limited to it's use on cPanel servers, we recommend disabling Horde on all platforms until patched.

This post will be updated as needed.

 

[vince512]

Thanks vince512, I really appreciate the info, as I'm sure others do too.

Apparently root access can in fact be leveraged through the bug, and according to one cPanel staff member, disabling Horde will mitigate the current threat. cPanel is aware of and working on the issue at this time. That's all the information I have.

I am glad I could help get the word out to the community. I think we definitely need to do a better job ensuring that everyone gets security information as soon as it is confirmed or known. Even one rooted server can give anyone of us a bad day, especially if they use it to attack other systems.

 

[cPanelNick]

I am glad I could help get the word out to the community. I think we definitely need to do a better job ensuring that everyone gets security information as soon as it is confirmed or known. Even one rooted server can give anyone of us a bad day, especially if they use it to attack other systems.

In this case it was only confirmed minutes before I posted above.

 

[Infopro]

cPanel has collaborated with one of our partners to work to patch a security vulnerability in the Horde webmail application. HostGator has graciously provided information which will help facilitate our creation of a patch. As soon as the patch has been completed and tested it will be deployed to all cPanel builds. The completed patch will also be sent to the Horde Project (http://www.horde.org) for inclusion within the Horde codebase.

At present, we can confirm that this security vulnerability in question affects Horde 3.1.6 and earlier. Based on incomplete information at this time, we also believe this affects Horde Groupware 1.0.4 and earlier as well (cPanel does not use Horde Groupware at this time). We recommend anyone using Horde or Horde Groupware disable it until the patch has been released. Since this vulnerability is contained in the stock Horde distribution and not limited to it's use on cPanel servers, we recommend disabling Horde on all platforms until patched.

This post will be updated as needed.

Thanks Nick.

 

[lbccserv]

Can you post an actual revision number that this is fixed in? I just did an edge update and it says:

WHM 11.19.0 cPanel 11.19.2-E21594

is this patched?

 

[nyjimbo]

As per the email sent to us a little while ago:

"The updated builds will be available immediately to all fast update servers. The builds will be available to all other update servers within one hour of this posting."

Can you clarify what is the difference between a fast update server and all other update servers so in the future we know what we are updating with ??

 

[cPanelNick]

As per the email sent to us a little while ago:

"The updated builds will be available immediately to all fast update servers. The builds will be available to all other update servers within one hour of this posting."

Can you clarify what is the difference between a fast update server and all other update servers so in the future we know what we are updating with ??

http://www.cpanel.net/partners/fast-update/index.htm

 

[cPanelNick]

Can you post an actual revision number that this is fixed in? I just did an edge update and it says:

WHM 11.19.0 cPanel 11.19.2-E21594

is this patched?

For 11.19.x Everything 11.19.2 or newer is patched
For 11.18.x Everything 11.18.2 or newer is patched

 

[lbccserv]

looks like our messages crossed in subspace.... mod can remove this

 

[nsusa]

I ajust running /scripts/upcp but it is failing on the Horde download and seems to loop over and over again trying. Not good. If I break the process - how will that leave my server in regards to the remaining cpanel updates?

Chris

 

[cpanelinfoseeker]

I suggest being patient - this update took a LOT longer that the past several. I was worried until I checked the progress in SSH by:
cd /var/cpanel/updatelogs
look in the directory and find the update file with the near current time/date
then tail that update file. For me it was :
tail -20 update.1204852566.log

Watch the last line each time you run it and you should see that it is actually progressing, but very slowly.

My guess this is slow because there are many people upgrading at the same time.

Mine finally completed, but was about an hour.

Ron

 

[cPanelNick]

I ajust running /scripts/upcp but it is failing on the Horde download and seems to loop over and over again trying. Not good. If I break the process - how will that leave my server in regards to the remaining cpanel updates?

Chris

Please open a ticket @ https://tickets.cpanel.net/submit/ and post the #

 

[darren.nolan]

cPanel,

I would just like to say thank you so much for your speedy response & critical update in relation to this. I was notified early this morning about the vulnerability, disabled horde, emailed all my customers (gosh that takes a while these days) - and happily updated my servers a few hours later.

Horde is a pretty important part of mail for my clients so I wasn't happy to hear about this issue. The update was rather quick considering the influx of people updating at the same time and now my customers have Horde again.

So again - thank you.
Dazz