Archive for April, 2014

Idera Server Backup Manager – Restore Arbitrary File Overwrite (R911-0143)

Monday, April 21st, 2014

Type: Arbitrary File Overwrite
Location: Local
Impact: High
Product: Idera Server Backup Manager (R1Soft)
Website: http://www.idera.com
Vulnerable Version: 5.4.3
Fixed Version: 5.6
CVE:
R911: 0143
Date: 2014-04-21
By: Rack911

Product Description:

Idera Server Backup Manager is an affordable, high-performance, disk-to-disk backup software for Linux and Windows servers. (This software was previously more commonly known as R1Soft Backup.)

Vulnerability Description:

It is possible for a malicious user to overwrite and take control of any file on the server, including root owned files, using a hard or symlink attack during the restore process if executed by an admin user via the GUI.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against Idera Server Backup Manager (R1Soft) v5.4.3 and is believed to exist in previous versions.

Fixed Version:

This vulnerability was patched in Idera Server Backup Manager (R1Soft) v5.6.

Vendor Contact Timeline:

2014-03-07: Vendor contacted via email.
2014-03-17: Vendor confirms vulnerability.
2014-04-21: Vendor issues update.
2014-04-21: Rack911 issues security advisory.

CloudLinux – cPanel Lvechart.cgi Arbitrary Command Execution (R911-0142)

Thursday, April 10th, 2014

Type: Arbitrary Command Execution
Location: Remote
Impact: Medium
Product: CloudLinux
Website: http://www.cloudlinux.com
Vulnerable Version: lvemanager 0.7-1.32
Fixed Version: lvemanager 0.8-1.15.1
CVE: -
R911: 0142
Date: 2014-04-10
By: Rack911

Product Description:

CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is
a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.

Vulnerability Description:

Due to an arbitrary command execution vulnerability present within the cPanel lvechart.cgi, it is possible for a user to bypass CageFS restrictions.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that CageFS can be bypassed.

Vulnerable Version:

This vulnerability was tested against CloudLinux lvemanager 0.7-1.32 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in CloudLinux lvemanager 0.8-1.15.1.

Vendor Contact Timeline:

2014-04-07: Vendor contacted via email.
2014-04-07: Vendor confirms vulnerability.
2014-04-10: Vendor issues update.
2014-04-10: Rack911 issues security advisory.

CloudLinux – cPanel PHP Selector Arbitrary Command Execution (R911-0141)

Thursday, April 10th, 2014

Type: Arbitrary Command Execution
Location: Remote
Impact: Medium
Product: CloudLinux
Website: http://www.cloudlinux.com
Vulnerable Version: lvemanager 0.7-1.32
Fixed Version: lvemanager 0.8-1.15.1
CVE: -
R911: 0141
Date: 2014-04-10
By: Rack911

Product Description:

CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is
a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.

Vulnerability Description:

Due to an arbitrary command execution vulnerability present within the cPanel CageFS PHP Selector, it is possible for a user to bypass CageFS restrictions.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that CageFS can be bypassed.

Vulnerable Version:

This vulnerability was tested against CloudLinux lvemanager 0.7-1.32 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in CloudLinux lvemanager 0.8-1.15.1.

Vendor Contact Timeline:

2014-04-07: Vendor contacted via email.
2014-04-07: Vendor confirms vulnerability.
2014-04-10: Vendor issues update.
2014-04-10: Rack911 issues security advisory.