cPanel – Insecure Credential Storage (R911-0056)

Type: Insecure Credential Storage
Location: Local
Impact: Low
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.39.0.15, 11.38.2.6, 11.36.2.3, 11.34.2.4 & 11.32.7.3
CVE: -
R911: 0056
Date: 2013-08-29
By: http://www.rack911.com

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

The /var/cpanel/sessions directory stored both user and root credentials in plain-text which could, under certain circumstances, allow a malicious administrator to view the details. Should a malicious administrator and/or someone compromise the server they would be able to monitor that directory and build a list of plain-text credentials which could be used elsewhere as users often use reuse the same password.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as LOW due to the fact that the file can only be viewed by an administrator. This is more of a “hardening” measure.

Vulnerable Version:

This vulnerability was tested against cPanel 11.38.1.13 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.39.0.15, 11.38.2.6, 11.36.2.3, 11.34.2.4 & 11.32.7.3.

Vendor Contact Timeline:

2013-07-23: Vendor contacted via email.
2013-08-01: Vendor confirms vulnerability.
2013-08-27: Vendor issues updates to all builds.
2013-08-29: Rack911 issues security advisory.