cPanel Targeted Security Release TSR-2018-0006 has been installed

The cPanel Security Team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.

Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses several vulnerabilities in cPanel & WHM software

Additional information is scheduled for release on November 20, 2018.


cPanel TSR-2018-0006 Full Disclosure

SEC-366

Summary
PostgreSQL password changes performed in an insecure manner.

Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Description
When using the WHM 'Configure PostgreSQL' interface to change the primary PostgreSQL password, it was possible for unauthorized users to log into PostgreSQL and change the password to their own value, ignoring the password entered in WHM.

Credits
This issue was discovered by the cPanel Security Team.


SEC-452

Summary
Unauthenticated remote code execution via mailing list attachments.

Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Description
In certain situations, it is possible for Mailman to preserve the extension of PHP script attachments. When attempting to view these attachments, the script can be executed, allowing for arbitrary code to be executed on the server by attackers who are able to send mail to the list.

Credits
This issue was discovered by the cPanel Security Team.


SEC-454

Summary
Virtual FTP accounts remain after their domain is removed.

Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.8 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Description
Virtual FTP accounts created by cPanel users are mapped to specific domains in the FTP password files. In some configurations, it was possible to authenticate as a virtual FTP account after the domain of the FTP account was removed from the system.

Credits
This issue was discovered by the cPanel Security Team.


SEC-459

Summary
Self-XSS Vulnerability in WHM Additional Backup Destination.

Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description
Errors from the backend APIs used by this interface did not apply context-appropriate encoding. Because of this it was possible for an attacker to inject arbitrary code into the rendered interface with a crafted error message.

Credits
This issue was discovered by the cPanel Security Team.


SEC-461

Summary
Stored XSS in WHM 'Reset a DNS Zone'.

Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description
When resetting a DNS zone, the new zone is displayed to the user without applying context-appropriate escapting. Because of this, an attacker was able to inject arbitrary code in the rendered page.

Credits
This issue was discovered by the cPanel Security Team.


SEC-462

Summary
Open redirect when resetting connections.

Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Description
When cpsrvd determines that it is necessary to reset a HTTP connection, it sends a 307 or 308 redirect response to the client. The Location header specified in this response was not escaped correctly and could be used by an attacker as an open redirect.

Credits
This issue was discovered by Ian Dunn of Wordpress.


SEC-464

Summary
Stored XSS in WHM MultiPHP Manager interface.

Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description
The errors generated by the WHM MultiPHP Manager interface did not apply context-appropriate escaping. Because of this, it was possible for an attacker to generate an error message containing arbitrary code in the rendered page.

Credits
This issue was discovered by the cPanel Security Team.


SEC-465

Summary
Arbitrary code execution as root via dnssec adminbin.

Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Description
The dnssec adminbin did not adequately validate the nsec_config or algo_config parameters. By injecting malicious data into these parameters, it was possible for attacker to execute arbitrary code on the system.

Credits
This issue was discovered by the cPanel Security Team.


SEC-467

Summary
WebDAV backup transport writes debug files containing sensitive information.

Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description
The WebDAV backup transport module enabled debug logging in HTTP::DAV. This debug information was written to a hardcoded file in an unsafe location. This file contained sensitive information. This could allow an attacker access to the remote WebDAV server.

Credits
This issue was discovered by the cPanel Security Team.



Monday, November 19, 2018

« Back