SOLVED Roundcube vulnerability

pglock · Dec 7, 2016

This report carried by The Register details a major vulnerability in roundcube. Roundcube posted a patch to GitHub at the end of November, and issued a version 1.2.3 here

The version installed on cp is 1.1.4-8.cp1158.

Any advice on updating to a secure version?

Infopro · Dec 7, 2016

cPanel needs to push it via cPanel updates, you shouldn't attempt to update Roundcube manually.

cPanelMichael · Dec 7, 2016

Hello @pglock,

Internal case CPANEL-10239 is open to assess whether that vulnerability affects instances of Roundcube offered with cPanel, and if so, to ensure it's updated to the latest version. We'll update this thread with more information on the status of this case as it becomes available.

Thank you.

easyswiss · Dec 8, 2016

Is there an update?

If cPanel servers are affected.. the CVE is between 7 and 10...
blog.ripstech.com/2016/roundcube-command-execution-via-email/

Requirements
The vulnerability has the following requirements for exploitation:

Roundcube must be configured to use PHP’s mail() function (by default, if no SMTP was specified )
PHP’s mail() function is configured to use sendmail (by default, see sendmail_path )
PHP is configured to have safe_mode turned off (by default, see safe_mode )
An attacker must know or guess the absolute path of the webroot

These requirements are not particular demanding which in turn means that there were a lot of vulnerable systems in the wild.

panayot · Dec 12, 2016

According to

/usr/local/cpanel/base/3rdparty/roundcube/config/config.inc.php

Roundcube in Cpanel does not use mail() function so it should not be affected by this vulnerability

cPanelMichael · Dec 12, 2016

easyswiss said:
Roundcube must be configured to use PHP’s mail() function (by default, if no SMTP was specified )

panayot said:
According to

/usr/local/cpanel/base/3rdparty/roundcube/config/config.inc.php

Roundcube in Cpanel does not use mail() function so it should not be affected by this vulnerability

Hello,

cPanel configures the local SMTP server for use in Roundcube's configuration file and thus isn't affected by this vulnerability based on the listed requirements. That said, the updated version of Roundcube is included with cPanel version 62:

Code:

rpm -qa|grep roundcube
cpanel-roundcubemail-1.2.3-1.cp1162.noarch

Thank you.

cPanelMichael · Jan 9, 2017

Hello,

To update, patched Roundcube versions are now included with cPanel version 60.0.31:

Fixed case CPANEL-10401: Update cpanel-roundcubemail to 1.1.7-1.cp1158.

Additionally, with cPanel version 58.0.41:

Fixed case CPANEL-10321: Update cpanel-roundcubemail to 1.1.7-1.cp1158.

The full Change Logs are available at:

60 Change Log - Change Logs - cPanel Documentation
58 Change Log - Change Logs - cPanel Documentation

Thank you.

Thread starter	Similar threads	Forum	Replies	Date
M	SOLVED CPANEL-35335 - Roundcube XSS vulnerability. Information about update in WHM/cPanel installation	Security	6	Dec 28, 2020
C	Avoiding double-login for Roundcube located on a different server	Security	2	Apr 2, 2020
	SOLVED Roundcube Critical Bug reported	Security	1	Dec 15, 2016
A	How can I use two factor authentication for roundcube	Security	5	Nov 2, 2016
N	zero-day vulnerability in latest versions of roundcube	Security	18	Mar 27, 2013

Search

Search

SOLVED Roundcube vulnerability

pglock

Member

Infopro

Well-Known Member

cPanelMichael

Administrator

easyswiss

Active Member

panayot

Well-Known Member

cPanelMichael

Administrator

cPanelMichael

Administrator