News

Summary

Updating Enkompass to this version failed if the Admin password had been changed since Enkompass was originally installed.

Description

If the Admin password had been changed from the one used to originally install Enkompass, the update failed, leaving the system unusable.  This could be triggered by manual or automatic updates.

Solution

If your system was affected by this issue, please submit a support request so that our experienced technicians can quickly resolve your issue.

Our staff must examine the affected server before the server can be updated to Enkompass version 1.6.0.204. You can use the following form to submit your support request:

cPanel Customer Portal - https://tickets.cpanel.net/submit/

Please be sure to reference "Enkompass 1.6.0.200 update" in your submission title, so that your request is given high priority.

Enkompass 1.6.0.200 has been removed from the update servers, and has been replaced by version 1.6.0.204. This issue will not occur with 1.6.0.204.

If you are planning a migration from Parallels Plesk Panel to cPanel & WHM in the near future, do not upgrade Plesk Panel to version 10.
 
Parallels Plesk Panel 10 incorporates a new authentication model that does not rely upon the /etc/passwd system database. This change prevents successful migrations from Plesk 10 systems to cPanel & WHM systems.
 
The cPanel & WHM development team is working on a solution to include in future releases of cPanel & WHM.  
 
Our migration team currently supports migration from the following platforms:
DirectAdmin (all versions)
Ensim / Parallels Pro (all versions, Linux Only)
Plesk (6 - 9.5.1, Linux Only)

Summary

 A memory corruption vulnerability exists in Exim versions 4.69 and older (CVE-2010-4344). Exim is the mail transfer agent used by cPanel & WHM.

Security Rating

This update has been rated as Important by the cPanel Security team.

Description

A memory corruption vulnerability has been discovered in Exim.  This vulnerability may lead to arbitrary code execution with the privileges of the user executing the Exim daemon. cPanel previously released RPMs that mitigated the severity of the vulnerability on December 9, 2010 (CVE-2010-4345). This notification is for the release of new RPMs which remove the remote memory corruption vulnerability in its entirety. The vulnerability relies upon "rejected_header" being enabled (default setting) in the log_selector configuration.

Solution

To resolve and work around the issue on Linux systems, cPanel has issued new Exim RPMs.  Server Owners are strongly urged to upgrade to the following Exim RPM versions: 

Systems configured to use Maildir: Exim 4.69-26

Systems configured to use mbox (deprecated): Exim 4.63-5

Exim RPMs will be distributed through cPanel's package management system. All cPanel & WHM servers receiving updates automatically will receive the updated Exim RPM during normal update and maintenance operations (upcp).  To begin an Exim update on cPanel systems immediately, run the following command as root:

/scripts/eximup

FreeBSD systems should be running Exim 4.72 by default, which is not affected by this issue.

FAQ

This notification covers CVE-2010-4344.

The notification release earlier on December 10, 2010 with the summary "A privilege escalation vulnerability exists in Exim, the mail transfer agent used by cPanel & WHM." covers CVE-2010-4345. At the time of the earlier announcement, the CVE had not been assigned.

References

Critical: Exim security update (CVE-2010-4345) - cPanel Inc.

Official Record CVE-2010-4344

Debian Bug Report for CVE-2010-4344

[exim-dev] Remote root vulnerability in Exim

Re: [exim-dev] Remote root vulnerability in Exim 

Summary

A privilege escalation vulnerability exists in Exim, the mail transfer agent used by cPanel & WHM.

Security Rating
This update has been rated as Critical by the cPanel Security team. 

Description
Research up to this point indicates the exploit is a buffer overflow vulnerability that takes advantage of the default Exim configuration settings related to altering Exim's runtime configuration file along with overriding the macro definitions in the configuration file. This buffer overflow may lead to arbitrary code execution with the privileges of the user executing the Exim daemon. However, the Exim user retains root privileges when running the -C and -D command line flags. Through the creation of a temporary exim configuration which is processed with the -C or -D flags, the Exim user is able to execute arbitrary commands as root.

This vulnerability is tracked by CVE-2010-4345.

Solution
To resolve and work around the issue, for Linux-based systems cPanel has issued new Exim RPMs. The new version of Exim locks configuration file locations to the /etc/exim prefix as well as disabling use of the -D flag. Server Owners are strongly urged to upgrade to the following Exim RPM versions:

• Systems configured to use Maildir: Exim 4.69-25
• Systems configured to use mbox (deprecated): Exim 4.63-4

Exim RPMs will be distributed through cPanel's package management system. All cPanel & WHM servers receiving updates automatically will receive the updated Exim RPM during normal update and maintenance operations (upcp).  If you prefer to install the update right now, please run the following in a root shell:

   /scripts/eximup

On cPanel & WHM FreeBSD servers, Exim is an unmanaged install performed from the Ports system. To apply a like setup on FreeBSD systems, server administrators will need to perform the following manual configuration:

• Remove WITHOUT_ALT_CONFIG_PREFIX=yes from /etc/make.conf
• Add the following to /var/db/ports/exim/options

WITH_ALT_CONFIG_PREFIX=true

SEDLIST+= -e 's,^(ALT_CONFIG_PREFIX=).*,\1/etc/exim,'

SEDLIST+= -e 's,^\# (DISABLE_D_OPTION=),\1,'

• Change directory to /usr/ports/mail/exim
• Execute 'make deinstall'
• Execute 'make install'

Caution: the above changes have potential to be undone by /scripts/checkmakeconf, and updates to the Exim port. An upcoming version of cPanel & WHM 11.28 will resolve this for FreeBSD users.

References

http://docs.cpanel.net/twiki/bin/view/AllDocumentation/SecurityLevels

http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html

http://bugs.exim.org/show_bug.cgi?id=1044

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4345

On December 1, 2011 the ProFTPD Project team announced that the Project's main FTP server, as well as mirror servers, were compromised. The ProFTPD 1.3.3c source code was modified to include a backdoor.

The cPanel & WHM Development team obtained the ProFTPD 1.3.3c sources prior to the compromise. Additionally, the Development team has verified that the binary version distributed to cPanel & WHM servers is not affected by this issue. Currently, all product update tiers are set for ProFTPD 1.3.3c.

References:

ProFTPD Compromise Announcement

ProFTPD Project Site