cPanel Targeted Security Release TSR-2018-0005 has been installed
The cPanel Security Team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.
Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses several vulnerabilities in cPanel & WHM software.
Update September 18, 2018
cPanel TSR-2018-0005 Full Disclosure
SEC-409
Summary
ClamAV daemon can be shut off by any local user.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Description
The userspace socket file for the clamd daemon has open permissions for necessary communication with userspace scanning functionality in cPanel. However, this socket also accepts the SHUTDOWN command which allowed unprivileged users to shut down the ClamAV daemon.
Credits
This issue was discovered by the cPanel Security Team.
SEC-428
Summary
Self-XSS in WHM ‘Create a New Account’ interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
Errors encountered in the zone template during account creation did not perform context appropriate escaping. This allowed an attacker to inject arbitrary HTML into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
SEC-433
Summary
Self-XSS in WHM ‘Security Questions’ interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Description
User supplied parameters for the WHM ‘Security Questions’ interface are displayed without context appropriate escaping. This allowed for an attacker to inject arbitrary code into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
SEC-434
Summary
Self-XSS in cPanel ‘Site Software Moderation’ interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Description
Certain user supplied parameters displayed as part of the cPanel ‘Site Software Moderation’ interface are displayed without context appropriate escaping. This allowed an attacker to inject arbitrary code into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
SEC-437
Summary
Self-XSS in WHM ‘Style Upload’ interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Description
When using the Customization interface in WHM, error messages displaying user-supplied input are rendered without context appropriate escaping. This allowed an attacker to inject arbitrary code into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
SEC-441
Summary
Actively stored XSS in WHM ‘File and Directory Restoration’ interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
During file and directory restoration operations, a cPanel user was able to intercept json-api requests made by the WHM reseller and send back corrupted json-api responses. These corrupted API responses were displayed without appropriate escaping, allowing the cPanel user to insert HTML into the reseller’s web interface.
Credits
This issue was discovered by the cPanel Security Team.
SEC-444
Summary
Demo account code execution via Fileman::viewfile API.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Description
When calling the Fileman::viewfile API on an RPM file, the rpm utility is called to display information about the file. Arguments are passed incorrectly to the rpm utility. This allowed for a demo account user to run arbitrary code as the demo user.
Credits
This issue was discovered by the cPanel Security Team.
SEC-445
Summary
Invalid email_accounts.json prevents full account suspension.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Description
When a user’s email_accounts.json file is corrupted, the suspend script generates an exception. This causes the script to fail before the full suspend process can be completed. A user could take advantage of this in order to prevent full suspension of their account.
Credits
This issue was discovered by the cPanel Security Team.
SEC-446
Summary
Self-Stored XSS on ‘Security Questions’ login page.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
A reseller with ‘all’ privileges can set security questions and answers for verification when logins occur from an unrecognized IP address. These questions and answers are displayed without context appropriate escaping, which allowed an attacker to inject arbitrary code into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
SEC-447
Summary
Arbitrary file write as root in WHM ‘Force Password Change’.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:H
Description
A recent refactoring in the WHM ‘Force Password Change’ subsystem caused a user-controlled file to be written to with root’s effective permissions. This allowed an attacker to overwrite arbitrary files on the system.
Credits
This issue was discovered by rack911labs.com.
SEC-449
Summary
FTP access allowed during account suspension.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Description
When the system was configured with ProFTPd as the FTP daemon, suspending a cPanel account did not disable FTP access for the account.
Credits
This issue was discovered by Harry Li from GoDaddy.
Monday, September 17, 2018
