The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Roundcube vulnerability

Discussion in 'Security' started by pglock, Dec 7, 2016.

Tags:
  1. pglock

    pglock Member

    Joined:
    Jun 14, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    UK
    This report carried by The Register details a major vulnerability in roundcube. Roundcube posted a patch to GitHub at the end of November, and issued a version 1.2.3 here

    The version installed on cp is 1.1.4-8.cp1158.

    Any advice on updating to a secure version?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,618
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    cPanel needs to push it via cPanel updates, you shouldn't attempt to update Roundcube manually.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,022
    Likes Received:
    1,276
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @pglock,

    Internal case CPANEL-10239 is open to assess whether that vulnerability affects instances of Roundcube offered with cPanel, and if so, to ensure it's updated to the latest version. We'll update this thread with more information on the status of this case as it becomes available.

    Thank you.
     
  4. easyswiss

    easyswiss Active Member

    Joined:
    Apr 19, 2011
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    56
    Is there an update?

    If cPanel servers are affected.. the CVE is between 7 and 10...
    blog.ripstech.com/2016/roundcube-command-execution-via-email/


    Requirements
    The vulnerability has the following requirements for exploitation:
    • Roundcube must be configured to use PHP’s mail() function (by default, if no SMTP was specified )
    • PHP’s mail() function is configured to use sendmail (by default, see sendmail_path )
    • PHP is configured to have safe_mode turned off (by default, see safe_mode )
    • An attacker must know or guess the absolute path of the webroot
    These requirements are not particular demanding which in turn means that there were a lot of vulnerable systems in the wild.
     
    #4 easyswiss, Dec 8, 2016
    Last edited by a moderator: Dec 8, 2016
  5. panayot

    panayot Well-Known Member

    Joined:
    Nov 18, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    166
    According to

    /usr/local/cpanel/base/3rdparty/roundcube/config/config.inc.php

    Roundcube in Cpanel does not use mail() function so it should not be affected by this vulnerability
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,022
    Likes Received:
    1,276
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    cPanel configures the local SMTP server for use in Roundcube's configuration file and thus isn't affected by this vulnerability based on the listed requirements. That said, the updated version of Roundcube is included with cPanel version 62:

    Code:
    rpm -qa|grep roundcube
    cpanel-roundcubemail-1.2.3-1.cp1162.noarch
    Thank you.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,022
    Likes Received:
    1,276
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page