Urgent Updates for 70, 76, and 78 and Exim CVE-2019-10149

cPanelBenny

Community Team Manager, Development, dog scratcher
Apr 24, 2014
140
76
103
Michigan
cPanel Access Level
Root Administrator
Twitter
In a post on the cPanel Blog last night we shared information regarding an exploit that had been identified in Exim. This exploit allows attackers to execute code as the root user on your server without authentication and was rated a 9.8 out of 10 in severity.

While Version 80 was never vulnerable to this exploit, and we released a patch for Version 78 last night, the recently End of Life Version 70 and Version 76 remained vulnerable. More details were released today, including details on exactly how to gain root access to a remote server.

While Exim is open source software that we bundle with our software and is not built by cPanel, this vulnerability is something that we feel deserves our attention. This is an extremely rare and specific situation that has the potential to impact everyone who interacts with the internet in any way. For that reason, we have released an update to patch this vulnerability for both Version 70 and Version 76.

To ensure that your server has received the patch, please update to one of the following versions:

TIER VERSION
70 -> 70.0.69
76 -> 76.0.22
78 -> 78.0.27

cPanel & WHM Versions 70 and 76 remain End of Life and will receive no other updates. This is a one-time bending of our policy, and we do not plan to pursue any other updates for these versions. We still strongly recommend that you keep your servers updated, and continue to run the most recent versions of cPanel & WHM available.

If you need help with any of this, don’t hesitate to reach out! The best places to ask questions are here on the cPanel Forums, our directly to our support team. You can also join us in our Slack or Discord channels, or even ask on our subreddit!
 

AlexMty

Registered
Jun 6, 2019
1
0
1
Mexico
cPanel Access Level
Root Administrator
Hello, I just tried to update a server in tier 76 (76.0.21), and it stayed in the same version due to EasyApache version 3 being installed. How can I force an update to 76.0.22? I tried switching from STABLE to TLS but then it says the new version will be 78.0.27 and it will be EOL in March 2020.

Can I try this with a bash command?
 

cPanelBenny

Community Team Manager, Development, dog scratcher
Apr 24, 2014
140
76
103
Michigan
cPanel Access Level
Root Administrator
Twitter
It's possible that the update will be blocked with an error similar to this:

A system upgrade was not possible due to the following blockers:
[2019-06-07 02:02:51 +0200] W [FATAL] - You must migrate from EA3 to EA4 before upgrading to v78 or newer. You can do so by running /usr/local/cpanel/scripts/migrate_ea3_to_ea4 or via WHM’s EasyApache 4 Migration interface. For more information please see: The EasyApache 3 to EasyApache 4 Migration Process - EasyApache 4 - cPanel Documentation
If you encounter this error, you must manually adjust your /etc/cpupdate.conf file to the example below:

CPANEL=11.76
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily
 
  • Like
Reactions: eva2000

Avensen

Member
Feb 27, 2007
17
1
153
Edited cpupdate.conf, updated from v76.0.21 to v76.0.22 with /usr/local/cpanel/scripts/upcp

However, Service Status / Exim version shows 4.91-3 (expected 4.91-4 after update).

ran the following command:

whmapi1 installed_versions packages=1|grep exim

and it shows this:

exim: 4.91-3
- exim-4.91-3.cp1170.x86_64

Can anyone check if your Exim version changed to 4.91-4 after v76.0.21 to v76.0.22 update?
 

cPanelBenny

Community Team Manager, Development, dog scratcher
Apr 24, 2014
140
76
103
Michigan
cPanel Access Level
Root Administrator
Twitter
We've confirmed internally that it looks like there is a cache not getting updated (being tracked as CPANEL-27784), but based on our testing the new RPM is being used. You can double check this with the exim --version command, that will show the version, and the build time. You'll also see the RPM removed in the upcp logs.

exim --version
 
Last edited:

Avensen

Member
Feb 27, 2007
17
1
153
cPanelBenny, thanks for the information.

# exim --version

Exim version 4.91 #1 built 06-Jun-2019 12:52:02

Is it a correct version?
 

cPanelBenny

Community Team Manager, Development, dog scratcher
Apr 24, 2014
140
76
103
Michigan
cPanel Access Level
Root Administrator
Twitter
  • Like
Reactions: Avensen

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Is it possible to update only the exim without having to update the cPanel?
Hello @Luana Premoli,

The only way to ensure that you are protected is to upgrade your server to a patched version. We made a one-time exclusion to our end-of-life policy and released an update to patch this vulnerability for both version 70 and version 76. Information about how to apply the update to these end-of-life versions is available at the beginning of the blog post below:

Exim CVE-2019-10149, how to protect yourself | cPanel Blog

What cPanel & WHM version is currently installed on your system?

Thank you.