Multiple vulnerabilities in cPanel



Published: 2017-01-18
Risk Critical
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2017-5613
CWE-ID CWE-521
CWE-79
CWE-200
CWE-134
Exploitation vector Network
Public exploit Vulnerability #4 is being exploited in the wild.
Vulnerable software
Subscribe
cPanel
Web applications / Remote management & hosting panels

Vendor cPanel, Inc

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Weak password

EUVDB-ID: #VU4863

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-521 - Weak Password Requirements

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to database.

The Munin monitoring tool includes a plugin to check the status of the MySQL service. This plugin used a dedicated test MySQL user to provide this functionality. The password set for this user was identical to the username. In cPanel’s current configuration of Munin, this MySQL user is no longer required and has been removed.

Successful exploitation of this vulnerability may allow an attacker to gain unauthorized access to MySQL database.

Mitigation

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

Vulnerable software versions

cPanel: 11.54.0.0 - 11.62.0.2

External links

http://news.cpanel.com/tsr-2017-0001-full-disclosure/ (SEC-196)


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Cross-site scripting

EUVDB-ID: #VU4864

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

Vulnerability allows a remote authenticated attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in reset password interfaces. A remote authenticated attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Additionally, several self-XSS vulnerabilities were also patched.

Mitigation

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

Vulnerable software versions

cPanel: 11.54.0.0 - 11.62.0.2

External links

http://news.cpanel.com/tsr-2017-0001-full-disclosure/ (SEC-198)


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Arbitrary file disclosure

EUVDB-ID: #VU4873

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to read arbitrary files on the system.

The vulnerability exists due to an error when processing valiases for users. A remote authenticated user can create valias, which includes other files, and read them with privileges of Exim system user.

Successful exploitation of the vulnerability may allow an attacker to read arbitrary files on the system.

Mitigation

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43

Vulnerable software versions

cPanel: 11.58.0.3 - 11.62.0.2

External links

http://news.cpanel.com/tsr-2017-0001-full-disclosure/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Format string vulnerability

EUVDB-ID: #VU6353

Risk: Critical

CVSSv3.1: 9.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2017-5613

CWE-ID: CWE-134 - Use of Externally-Controlled Format String

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a format string error within cgiemail and cgiecho binaries when processing template files. A remote authenticated attacker can create a specially crafted file, containing form string specifiers and execute arbitrary code on the target system.

Successful exploitation may allow an attacker to compromise vulnerable system.

Note: this vulnerability has been exploited in the wild and was disclosed by the Shadow Brokers leak. The exploit is known as ElegantEagle.

Mitigation

The vulnerability is fixed in the following versions: 54.0.36, 56.0.43, 58.0.43, and 60.0.35.

Vulnerable software versions

cPanel: 11.54.0.0 - 11.60.0.34

External links

http://news.cpanel.com/tsr-2017-0001-full-disclosure/
http://news.cpanel.com/cpanel-security-team-cgiemail-cve-2017-5613/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



###SIDEBAR###