cPanel TSR-2020-0003 Full Disclosure

SEC-485 Summary Remote code execution via Exim filter path handling. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 9.9 CVSS

cPanel TSR-2019-0006 Full Disclosure
cPanel & WHM Version 70 in RELEASE!
cPanel & WHM Version 84 Now EOL

SEC-485

Summary

Remote code execution via Exim filter path handling.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

The handling of file paths constructed from email recipient addresses in cPanel & WHM’s default Exim configuration did not adequately protect against path traversal attacks. In a default cPanel & WHM deployment, this behavior could be abused by authenticated attackers to execute arbitrary code on the server as other accounts. Abuse of this flaw by unauthenticated attackers was possible under some circumstances.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49

SEC-491

Summary

Bypass of SMTP greylisting restrictions.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

Greylisting restrictions configured for the Exim SMTP daemon were not properly enforced for senders with embedded spaces.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49

SEC-497

Summary

Jailshell breakout via chsh.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Description

Some utilities such as chsh and userhelper may regain their setuid bit during RPM updates. This allowed cPanel accounts configured with jailshell to change the account’s login shell.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49

SEC-549

Summary

Insecure BIND RNDC credentials used in templated VMs.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

The RNDC key configured in virtual machines spawned from cPanel VM images was not regenerated in the new instance.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49

SEC-550

Summary

Insecure Dovecot auth policy API key used in templated VMs.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

The Dovecot auth policy API key configured in virtual machines spawned from cPanel VM images was not regenerated in the new instance.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49

SEC-551

Summary

Insecure Mailman site password used in templated VMs.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The Mailman site password configured in virtual machines spawned from cPanel VM images was not regenerated in the new instance.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49

SEC-552

Summary

Insecure SRS secret used in templated VMs.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

The Exim SRS secret configured in virtual machines spawned from cPanel VM images was not regenerated in the new instance.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49

SEC-554

Summary

Insecure chkservd test credentials used in templated VMs.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

The authentication credentials used by chkservd to confirm system services are accepting logins were reused in virtual machines created from cPanel VM images.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49

SEC-558

Summary

World-readable permissions on proxy subdomains log file.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

When accessing cPanel, WHM, or Webmail via a plain, unencrypted proxy subdomain URL, the webserver log file was created with world-readable permissions. This allowed local attackers to obtain any sensitive information or credentials passed in GET requests.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49

SEC-561

Summary

PowerDNS API keys set to predictable values during upgrades.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

During cPanel & WHM upgrades across major versions, the PowerDNS API keys were set to predictable values. A local attacker could misuse this behavior to read DNS secrets, modify DNS settings, or disable the DNS server.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21

For the PGP-signed message, please see: TSR-2020-0003.disclosure.signed

مدیریت سرور پشتیبانی و مشاوره – ثبت دامنه