Type: Privilege Escalation
Product: UNIXY cPanel Varnish
Vulnerable Version: 1.8.4
Fixed Version: 1.8.6
The UNIXY cPanel plugin comes with a Web interface to manage Varnish via cPanel WHM. The cPanel app takes the complexity out of Varnish in a consolidated one-stop interface. The script allows you to uninstall Varnish, modify Varnish settings, lookup caching stats, refresh the Varnish cache, restart Varnish, and much more!
A malicious user can escalate their privileges due to a symlink attack when Varnish is disabled by the end user. This flaw is exploitable by both resellers and normal cPanel users. In our testing we were able to obtain an interactive root shell in a matter of seconds.
We have deemed this vulnerability to be rated as CRITICAL due to the fact that root access can be obtained.
This vulnerability was tested against UNIXY cPanel Varnish v1.8.4 and is believed to exist in all prior versions.
This vulnerability was patched in UNIXY cPanel Varnish v1.8.6.
Vendor Contact Timeline:
2013-10-12: Vendor contacted via email.
2013-10-12: Vendor confirms vulnerability.
2013-11-18: Vendor issues v1.8.6 update.
2013-11-20: Rack911 issues security advisory.