#VU6353 Format string vulnerability in cPanel - CVE-2017-5613
Published: April 20, 2017
Vulnerability identifier: #VU6353
Vulnerability risk: Critical
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/U:Red
CVE-ID: CVE-2017-5613
CWE-ID: CWE-134
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
cPanel
cPanel
Software vendor:
cPanel, Inc
cPanel, Inc
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a format string error within cgiemail and cgiecho binaries when processing template files. A remote authenticated attacker can create a specially crafted file, containing form string specifiers and execute arbitrary code on the target system.
Successful exploitation may allow an attacker to compromise vulnerable system.
Note: this vulnerability has been exploited in the wild and was disclosed by the Shadow Brokers leak. The exploit is known as ElegantEagle.
Remediation
The vulnerability is fixed in the following versions: 54.0.36, 56.0.43, 58.0.43, and 60.0.35.