{"id":14303,"date":"2020-05-20T09:29:16","date_gmt":"2020-05-20T09:29:16","guid":{"rendered":"http:\/\/news.cpanel.com\/?p=58293"},"modified":"2020-05-20T09:29:16","modified_gmt":"2020-05-20T09:29:16","slug":"cpanel-tsr-2020-0003-full-disclosure","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cpanel-tsr-2020-0003-full-disclosure\/","title":{"rendered":"cPanel TSR-2020-0003 Full Disclosure"},"content":{"rendered":"
\"\"<\/div>\n

SEC-485<\/strong><\/h3>\n

Summary<\/strong><\/p>\n

Remote code execution via Exim filter path handling.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 9.9 CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H<\/p>\n

Description<\/strong><\/p>\n

The handling of file paths constructed from email recipient addresses in cPanel & WHM\u2019s default Exim configuration did not adequately protect against path traversal attacks. In a default cPanel & WHM deployment, this behavior could be abused by authenticated attackers to execute arbitrary code on the server as other accounts. Abuse of this flaw by unauthenticated attackers was possible under some circumstances.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49<\/p>\n

SEC-491<\/strong><\/h3>\n

Summary<\/strong><\/p>\n

Bypass of SMTP greylisting restrictions.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:L\/A:N<\/p>\n

Description<\/strong><\/p>\n

Greylisting restrictions configured for the Exim SMTP daemon were not properly enforced for senders with embedded spaces.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49<\/p>\n

SEC-497<\/strong><\/h3>\n

Summary<\/strong><\/p>\n

Jailshell breakout via chsh.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 5.5 CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:H\/A:N<\/p>\n

Description<\/strong><\/p>\n

Some utilities such as chsh and userhelper may regain their setuid bit during RPM updates. This allowed cPanel accounts configured with jailshell to change the account\u2019s login shell.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49<\/p>\n

SEC-549<\/strong><\/h3>\n

Summary<\/strong><\/p>\n

Insecure BIND RNDC credentials used in templated VMs.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 7.0 CVSS:3.1\/AV:L\/AC:H\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H<\/p>\n

Description<\/strong><\/p>\n

The RNDC key configured in virtual machines spawned from cPanel VM images was not regenerated in the new instance.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49<\/p>\n

SEC-550<\/strong><\/h3>\n

Summary<\/strong><\/p>\n

Insecure Dovecot auth policy API key used in templated VMs.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.1\/AV:L\/AC:H\/PR:L\/UI:N\/S:U\/C:H\/I:N\/A:N<\/p>\n

Description<\/strong><\/p>\n

The Dovecot auth policy API key configured in virtual machines spawned from cPanel VM images was not regenerated in the new instance.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49<\/p>\n

SEC-551<\/strong><\/h3>\n

Summary<\/strong><\/p>\n

Insecure Mailman site password used in templated VMs.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 8.1 CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H<\/p>\n

Description<\/strong><\/p>\n

The Mailman site password configured in virtual machines spawned from cPanel VM images was not regenerated in the new instance.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49<\/p>\n

SEC-552<\/strong><\/h3>\n

Summary<\/strong><\/p>\n

Insecure SRS secret used in templated VMs.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:N\/I:L\/A:N<\/p>\n

Description<\/strong><\/p>\n

The Exim SRS secret configured in virtual machines spawned from cPanel VM images was not regenerated in the new instance.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49<\/p>\n

SEC-554<\/strong><\/h3>\n

Summary<\/strong><\/p>\n

Insecure chkservd test credentials used in templated VMs.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 9.0 CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H<\/p>\n

Description<\/strong><\/p>\n

The authentication credentials used by chkservd to confirm system services are accepting logins were reused in virtual machines created from cPanel VM images.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49<\/p>\n

SEC-558<\/strong><\/h3>\n

Summary<\/strong><\/p>\n

World-readable permissions on proxy subdomains log file.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:N\/A:N<\/p>\n

Description<\/strong><\/p>\n

When accessing cPanel, WHM, or Webmail via a plain, unencrypted proxy subdomain URL, the webserver log file was created with world-readable permissions. This allowed local attackers to obtain any sensitive information or credentials passed in GET requests.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21
11.78.0.49<\/p>\n

SEC-561<\/strong><\/h3>\n

Summary<\/strong><\/p>\n

PowerDNS API keys set to predictable values during upgrades.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H<\/p>\n

Description<\/strong><\/p>\n

During cPanel & WHM upgrades across major versions, the PowerDNS API keys were set to predictable values. A local attacker could misuse this behavior to read DNS secrets, modify DNS settings, or disable the DNS server.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.88.0.3
11.86.0.21<\/p>\n

For the PGP-signed message, please see: TSR-2020-0003.disclosure.signed<\/a><\/p>\n

\u0645\u062f\u06cc\u0631\u06cc\u062a \u0633\u0631\u0648\u0631 \u067e\u0634\u062a\u06cc\u0628\u0627\u0646\u06cc \u0648 \u0645\u0634\u0627\u0648\u0631\u0647 – \u062b\u0628\u062a \u062f\u0627\u0645\u0646\u0647<\/p>\n","protected":false},"excerpt":{"rendered":"

SEC-485 Summary Remote code execution via Exim filter path handling. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 9.9 CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H Description The handling of file paths constructed from email recipient addresses in cPanel & WHM\u2019s default Exim configuration did not adequately protect against path traversal attacks. In a default cPanel & WHM …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"class_list":["post-14303","post","type-post","status-publish","format-standard","hentry","category-cpanel-news"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/14303","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=14303"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/14303\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=14303"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=14303"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=14303"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}