Archive for December, 2013

CloudLinux – CageFS (postmodifyacct) Input Validation Failure (R911-0110)

Tuesday, December 24th, 2013

Type: Input Validation Failure
Location: Remote
Impact: High
Product: CloudLinux
Website: http://www.cloudlinux.com
Vulnerable Version: CageFS 5.2-12
Fixed Version: CageFS 5.2-15
CVE: -
R911: 0110
Date: 2013-12-24
By: Rack911

Product Description:

CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.

Vulnerability Description:

Due to an input validation failure present within the postmodifyacct script for cPanel, it is possible for a malicious reseller to disable CageFS and perform other commands intended for an administrator.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that CageFS can be disabled.

Vulnerable Version:

This vulnerability was tested against CloudLinux CageFS 5.2-12 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in CloudLinux CageFS 5.2-15.

Special Note:

We would like to take a moment to thank the developers of CloudLinux for their always prompt updates in patching our security vulnerabilities. While we understand that no developer would like to have security vulnerabilities present, CloudLinux always takes responsibility and are some of the most dedicated developers we have interacted with. Kudos to them!

Vendor Contact Timeline:

2013-12-20: Vendor contacted via email.
2013-12-20: Vendor confirms vulnerability.
2013-12-23: Vendor issues update.
2013-12-24: Rack911 issues security advisory.

cPanel – Getpkginfo (Root) Arbitrary File Access (R911-0109)

Tuesday, December 24th, 2013

Type: Arbitrary File Access
Location: Remote
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.40.1.7, 11.40.0.31, 11.38.2.15 & 11.36.2.12.
CVE: -
R911: 0109
Date: 2013-12-24
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the
cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a reseller to exploit a vulnerability in getpkginfo to open any file on the server, regardless of ownership which could ultimately lead to a root compromise. There is also a directory traversal present.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against cPanel 11.40.0 #19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.40.1.7, 11.40.0.31, 11.38.2.15 & 11.36.2.12.

Vendor Contact Timeline:

2013-12-19: Vendor contacted via email.
2013-12-20: Vendor confirms vulnerability but claims they found it. We “politely” disagree.
2013-12-21: Vendor issues updates to all builds.
2013-12-24: Rack911 issues security advisory.

HostBill – File Management (Admin) ACL Failure (R911-0108)

Friday, December 20th, 2013

Type: ACL Failure
Location: Remote
Impact: Medium
Product: HostBill
Website: http://www.hostbillapp.com
Vulnerable Version: 2013-12-14
Fixed Version: 2013-12-20
CVE: -
R911: 0108
Date: 2013-12-20
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

It is possible for a restricted admin to access any client file and/or delete said file due to an ACL failure. (A restricted admin can be someone only assigned to Billing or Support tasks.)

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that a restricted admin can access content exceeding their permissions.

Vulnerable Version:

This vulnerability was tested against HostBill v2013-12-14. (Yes, that is the version!)

Fixed Version:

This vulnerability was patched in HostBill v2013-12-20.

Vendor Contact Timeline:

2013-12-14: Vendor contacted via email.
2013-12-14: Vendor confirms vulnerability.
2013-12-20: Vendor issues 2013-12-20 update.
2013-12-20: Rack911 issues security advisory.

HostBill – Login As Client (Admin) ACL Failure (R911-0107)

Friday, December 20th, 2013

Type: ACL Failure
Location: Remote
Impact: Medium
Product: HostBill
Website: http://www.hostbillapp.com
Vulnerable Version: 2013-12-14
Fixed Version: 2013-12-20
CVE: -
R911: 0107
Date: 2013-12-20
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

It is possible for a restricted admin to access any client account using the ‘Login as Client’ feature due to an ACL failure. (A restricted admin can be someone only assigned to Billing or Support tasks.)

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that a restricted admin can access any client account exceeding their permissions.

Vulnerable Version:

This vulnerability was tested against HostBill v2013-12-14. (Yes, that is the version!)

Fixed Version:

This vulnerability was patched in HostBill v2013-12-20.

Vendor Contact Timeline:

2013-12-14: Vendor contacted via email.
2013-12-14: Vendor confirms vulnerability.
2013-12-20: Vendor issues 2013-12-20 update.
2013-12-20: Rack911 issues security advisory.

HostBill – Auto Upgrade (Admin) ACL Failure (R911-0106)

Friday, December 20th, 2013

Type: ACL Failure
Location: Remote
Impact: Medium
Product: HostBill
Website: http://www.hostbillapp.com
Vulnerable Version: 2013-12-14
Fixed Version: 2013-12-20
CVE: -
R911: 0106
Date: 2013-12-20
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

It is possible for a restricted admin to upgrade HostBill due to an ACL failure if auto upgrades are NOT enabled. (A restricted admin can be someone only assigned to Billing or Support tasks.)

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that HostBill can be upgraded by unauthorized admins.

Vulnerable Version:

This vulnerability was tested against HostBill v2013-12-14. (Yes, that is the version!)

Fixed Version:

This vulnerability was patched in HostBill v2013-12-20.

Vendor Contact Timeline:

2013-12-14: Vendor contacted via email.
2013-12-14: Vendor confirms vulnerability.
2013-12-20: Vendor issues 2013-12-20 update.
2013-12-20: Rack911 issues security advisory.

HostBill – Add / Deny Access (Admin) ACL Failure (R911-0105)

Friday, December 20th, 2013

Type: ACL Failure
Location: Remote
Impact: Medium
Product: HostBill
Website: http://www.hostbillapp.com
Vulnerable Version: 2013-12-14
Fixed Version: 2013-12-20
CVE: -
R911: 0105
Date: 2013-12-20
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

Due to an ACL failure, it is possible for a restricted admin to add or deny any IP access to the admin panel. (A restricted admin can be someone only assigned to Billing or Support tasks.)

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that a restricted admin can interfere with the security of the panel.

Vulnerable Version:

This vulnerability was tested against HostBill v2013-12-14. (Yes, that is the version!)

Fixed Version:

This vulnerability was patched in HostBill v2013-12-20.

Vendor Contact Timeline:

2013-12-14: Vendor contacted via email.
2013-12-14: Vendor confirms vulnerability.
2013-12-20: Vendor issues 2013-12-20 update.
2013-12-20: Rack911 issues security advisory.

HostBill – Add API Access (Admin) ACL Failure (R911-0104)

Friday, December 20th, 2013

Type: ACL Failure
Location: Remote
Impact: Medium
Product: HostBill
Website: http://www.hostbillapp.com
Vulnerable Version: 2013-12-14
Fixed Version: 2013-12-20
CVE: -
R911: 0104
Date: 2013-12-20
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

It is possible for a restricted admin to add API access to their IP address thus giving them full access to HostBill. (A restricted admin can be someone only assigned to Billing or Support tasks.)

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that an admin can elevate their privileges due to the ACL failure.

Vulnerable Version:

This vulnerability was tested against HostBill v2013-12-14. (Yes, that is the version!)

Fixed Version:

This vulnerability was patched in HostBill v2013-12-20.

Vendor Contact Timeline:

2013-12-14: Vendor contacted via email.
2013-12-14: Vendor confirms vulnerability.
2013-12-20: Vendor issues 2013-12-20 update.
2013-12-20: Rack911 issues security advisory.

cPanel – Restorepkg Arbitrary Command Execution (R911-0103)

Wednesday, December 18th, 2013

Type: Arbitrary Command Execution
Location: Local
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.40.1.3, 11.40.0.29, 11.38.2.13 & 11.36.2.10
CVE: -
R911: 0103
Date: 2013-12-18
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a malicious user to manipulate a backup archive to include modified grant tables which could perform arbitrary command executions as root.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any command can be performed as root. We are disappointed that cPanel did not assign this vulnerability a rating, as the potential for servers to be compromised as a result is very real.

Vulnerable Version:

This vulnerability was tested against cPanel 11.40.0.9 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.40.1.3, 11.40.0.29, 11.38.2.13 & 11.36.2.10.

Vendor Contact Timeline:

2013-11-12: Vendor contacted via email.
2013-11-12: Vendor confirms vulnerability.
2013-12-16: Vendor issues updates to all builds.
2013-12-18: Rack911 issues security advisory.

cPanel – Database Datastore Insecure File Permissions (R911-0102)

Wednesday, December 18th, 2013

Type: Insecure File Permissions
Location: Local
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.40.1.3, 11.40.0.29, 11.38.2.13 & 11.36.2.10
CVE: -
R911: 0102
Date: 2013-12-18
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

Under certain conditions it is possible for an attacker to view the MySQL grants for user databases, including usernames, remote access hosts and passwords due to the datastore files under the /var/cpanel/databases having invalid permissions.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that sensitive data regarding user databases can be obtained.

Vulnerable Version:

This vulnerability was tested against cPanel 11.40.0.9 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.40.1.3, 11.40.0.29, 11.38.2.13 & 11.36.2.10.

Vendor Contact Timeline:

2013-11-12: Vendor contacted via email.
2013-11-12: Vendor confirms vulnerability.
2013-12-16: Vendor issues updates to all builds.
2013-12-18: Rack911 issues security advisory.

cPanel – Arbitrary File Access (BIND) (R911-0101)

Wednesday, December 18th, 2013

Type: Arbitrary File Access
Location: Remote
Impact: Medium
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.40.1.3, 11.40.0.29, 11.38.2.13 & 11.36.2.10
CVE: -
R911: 0101
Date: 2013-12-18
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

A malicious reseller can manipulate named (BIND) to open any file on the server, including root owned files, with the possibility of being able to view sensitive data.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that while any file can be accessed, the output is extremely limited making this exploit difficult to perform.

Vulnerable Version:

This vulnerability was tested against cPanel 11.40.0.9 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.40.1.3, 11.40.0.29, 11.38.2.13 & 11.36.2.10.

Vendor Contact Timeline:

2013-10-04: Vendor contacted via email.
2013-10-10: Vendor confirms vulnerability.
2013-12-16: Vendor issues updates to all builds.
2013-12-18: Rack911 issues security advisory.