Multiple vulnerabilities in cPanel

Published: 2017-01-18 13:04:12
Severity Critical
Patch available YES
Number of vulnerabilities 4
CVE ID CVE-2017-5613
CVSSv3 3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
3.9 [CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
5.5 [CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]
9.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]
CWE ID CWE-521
CWE-79
CWE-200
CWE-134
Exploitation vector Network
Public exploit Vulnerability #4 is being exploited in the wild.
Vulnerable software cPanel
Vulnerable software versions cPanel 11.54.0.34
cPanel 11.54.0.33
cPanel 11.54.0.32

Show more

Vendor URL cPanel, Inc

Security Advisory

1) Weak password

Description

The vulnerability allows a remote attacker to gain unauthorized access to database.

The Munin monitoring tool includes a plugin to check the status of the MySQL service. This plugin used a dedicated test MySQL user to provide this functionality. The password set for this user was identical to the username. In cPanel’s current configuration of Munin, this MySQL user is no longer required and has been removed.

Successful exploitation of this vulnerability may allow an attacker to gain unauthorized access to MySQL database.

Remediation

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

External links

http://news.cpanel.com/tsr-2017-0001-full-disclosure/
(SEC-196)

2) Cross-site scripting

Description

Vulnerability allows a remote authenticated attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in reset password interfaces. A remote authenticated attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Additionally, several self-XSS vulnerabilities were also patched.

Remediation

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

External links

http://news.cpanel.com/tsr-2017-0001-full-disclosure/
(SEC-198)

3) Arbitrary file disclosure

Description

The vulnerability allows a remote attacker to read arbitrary files on the system.

The vulnerability exists due to an error when processing valiases for users. A remote authenticated user can create valias, which includes other files, and read them with privileges of Exim system user.

Successful exploitation of the vulnerability may allow an attacker to read arbitrary files on the system.

Remediation

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43

External links

http://news.cpanel.com/tsr-2017-0001-full-disclosure/

4) Format string vulnerability

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a format string error within cgiemail and cgiecho binaries when processing template files. A remote authenticated attacker can create a specially crafted file, containing form string specifiers and execute arbitrary code on the target system.

Successful exploitation may allow an attacker to compromise vulnerable system.

Note: this vulnerability has been exploited in the wild and was disclosed by the Shadow Brokers leak. The exploit is known as ElegantEagle.

Remediation

The vulnerability is fixed in the following versions: 54.0.36, 56.0.43, 58.0.43, and 60.0.35.

External links

https://news.cpanel.com/tsr-2017-0001-full-disclosure/

http://news.cpanel.com/cpanel-security-team-cgiemail-cve-2017-5613/