Archive for July, 2014

cPanel – Exim Valiases Arbitrary File Access (R911-0169)

Monday, July 28th, 2014

Type: Arbitrary File Access
Location: Local
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18
CVE: -
R911: 0169
Date: 2014-07-28
By: RACK911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a malicious user to obtain the contents of any file on a cPanel server, including sensitive root files, by modifying the user valias to include a carefully crafted string which can then be accessed via a specific email request.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a user can access any file on the server with minimal effort.

Vulnerable Version:

This vulnerability was tested against cPanel 11.42.0.19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18.

Vendor Contact Timeline:

2014-06-22: Vendor contacted via email.
2014-06-22: Vendor confirms vulnerability.
2014-07-21: Vendor issues updates to all builds.
2014-07-28: RACK911 issues security advisory.

cPanel – Adddns Input Validation Failure (R911-0168)

Monday, July 28th, 2014

Type: Input Validation Failure
Location: Remote
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18
CVE: -
R911: 0168
Date: 2014-07-28
By: RACK911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a malicious reseller to take ownership of the servers hostname DNS zone due to an input validation failure within the Adddns Function.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that the malicious reseller could intercept email bounces, failures and other server communications intended for addresses that make use of the server hostname.

Vulnerable Version:

This vulnerability was tested against cPanel 11.42.0.19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18.

Vendor Contact Timeline:

2014-06-22: Vendor contacted via email.
2014-06-22: Vendor confirms vulnerability.
2014-07-21: Vendor issues updates to all builds.
2014-07-28: RACK911 issues security advisory.

cPanel – EasyApache & UPCP Denial of Service (R911-0167)

Monday, July 28th, 2014

Type: Denial of Service
Location: Local
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18
CVE: -
R911: 0167
Date: 2014-07-28
By: RACK911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a malicious user to prevent EasyApache & UPCP (cPanel Update) from running, should they execute a carefully crafted process.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a user can interfere with updates which could prevent a server from obtaining the necessary security patches.

Vulnerable Version:

This vulnerability was tested against cPanel 11.42.0.19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18.

Vendor Contact Timeline:

2014-04-09: Vendor contacted via email.
2014-04-14: Vendor confirms vulnerability.
2014-07-21: Vendor issues updates to all builds.
2014-07-28: RACK911 issues security advisory.

cPanel – LeechProtect Denial of Service (R911-0166)

Monday, July 28th, 2014

Type: Denial of Service
Location: Local
Impact: Medium
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18
CVE: -
R911: 0166
Date: 2014-07-28
By: RACK911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a malicious user to crash the LeechProtect service on cPanel by modifying the necessary mod_rewrite rules to include a certain string. The malicious user then opens the page being protected by LeechProtect and the crash will occur.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that the LeechProtect service can be crashed but no sensitive information obtained.

Vulnerable Version:

This vulnerability was tested against cPanel 11.42.0.19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18.

Vendor Contact Timeline:

2014-03-10: Vendor contacted via email.
2014-03-19: Vendor confirms vulnerability.
2014-07-21: Vendor issues updates to all builds.
2014-07-28: RACK911 issues security advisory.

cPanel – LeechProtect Unauthorized Htpasswd Modification (R911-0165)

Monday, July 28th, 2014

Type: Content Modification
Location: Local
Impact: Medium
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18
CVE: -
R911: 0165
Date: 2014-07-28
By: RACK911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a malicious user to interfere with another users .htpasswds file by modifying the necessary mod_rewrite rules to include a different directory. When the user intentionally triggers a suspension via LeechProtect, the other users .htpasswds file will then be modified without authorization.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that the LeechProtect service can be manipulated into interfering with other users accounts.

Vulnerable Version:

This vulnerability was tested against cPanel 11.42.0.19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18.

Vendor Contact Timeline:

2014-03-10: Vendor contacted via email.
2014-03-10: Vendor confirms vulnerability.
2014-07-21: Vendor issues updates to all builds.
2014-07-28: RACK911 issues security advisory.

Exim – Math Comparison Functions Local Command Execution (R911-0164)

Friday, July 25th, 2014

Type: Command Execution
Location: Local
Impact: High
Product: Exim
Website: http://www.exim.org
Vulnerable Version: 4.82
Fixed Version: 4.83
CVE: 2014-2972
R911: 0164
Date: 2014-07-25
By: RACK911

Product Description:

Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of Sendmail, although the configuration of Exim is quite different.

Vulnerability Description:

Exim contains a flaw in the expansion of arguments to math comparison functions, which can result in the values being doubled.

The end result is that an attacker can perform a local command execution if they are able to perform a look-up using Exim against files that they can edit. In some cases, such as Exim being bundled with cPanel, the local command execution can actually lead to a root compromise as the Exim look-up is being done by the root user.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a user can perform local commands under certain circumstances.

Vulnerable Version:

This vulnerability was tested against Exim 4.82 and is believed to exist in all previous versions.

Fixed Version:

This vulnerability was patched in Exim 4.83.

Vendor Contact Timeline:

2014-06-22: Vendor contacted via email.
2014-06-23: Vendor confirms vulnerability.
2014-07-22: Vendor issues update.
2014-07-25: RACK911 issues security advisory.