SB2017011801 - Multiple vulnerabilities in cPanel

Description

This security bulletin contains information about 4 vulnerabilities.

1) Weak password (CVE-ID: N/A)

CWE-ID: CWE-521 - Weak Password Requirements

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to gain unauthorized access to database.

The Munin monitoring tool includes a plugin to check the status of the MySQL service. This plugin used a dedicated test MySQL user to provide this functionality. The password set for this user was identical to the username. In cPanel’s current configuration of Munin, this MySQL user is no longer required and has been removed.

Successful exploitation of this vulnerability may allow an attacker to gain unauthorized access to MySQL database.

2) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

Vulnerability allows a remote authenticated attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in reset password interfaces. A remote authenticated attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Additionally, several self-XSS vulnerabilities were also patched.

3) Arbitrary file disclosure (CVE-ID: N/A)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to read arbitrary files on the system.

The vulnerability exists due to an error when processing valiases for users. A remote authenticated user can create valias, which includes other files, and read them with privileges of Exim system user.

Successful exploitation of the vulnerability may allow an attacker to read arbitrary files on the system.

4) Format string vulnerability (CVE-ID: CVE-2017-5613)

CWE-ID: CWE-134 - Use of Externally-Controlled Format String

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/U:Red

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a format string error within cgiemail and cgiecho binaries when processing template files. A remote authenticated attacker can create a specially crafted file, containing form string specifiers and execute arbitrary code on the target system.

Successful exploitation may allow an attacker to compromise vulnerable system.

Note: this vulnerability has been exploited in the wild and was disclosed by the Shadow Brokers leak. The exploit is known as ElegantEagle.

Remediation

Install update from vendor's website.

References

• http://news.cpanel.com/tsr-2017-0001-full-disclosure/
• https://news.cpanel.com/tsr-2017-0001-full-disclosure/
• http://news.cpanel.com/cpanel-security-team-cgiemail-cve-2017-5613/