News

Summary

 A memory corruption vulnerability exists in Exim versions 4.69 and older (CVE-2010-4344). Exim is the mail transfer agent used by cPanel & WHM.

Security Rating

This update has been rated as Important by the cPanel Security team.

Description

A memory corruption vulnerability has been discovered in Exim.  This vulnerability may lead to arbitrary code execution with the privileges of the user executing the Exim daemon. cPanel previously released RPMs that mitigated the severity of the vulnerability on December 9, 2010 (CVE-2010-4345). This notification is for the release of new RPMs which remove the remote memory corruption vulnerability in its entirety. The vulnerability relies upon "rejected_header" being enabled (default setting) in the log_selector configuration.

Solution

To resolve and work around the issue on Linux systems, cPanel has issued new Exim RPMs.  Server Owners are strongly urged to upgrade to the following Exim RPM versions: 

Systems configured to use Maildir: Exim 4.69-26

Systems configured to use mbox (deprecated): Exim 4.63-5

Exim RPMs will be distributed through cPanel's package management system. All cPanel & WHM servers receiving updates automatically will receive the updated Exim RPM during normal update and maintenance operations (upcp).  To begin an Exim update on cPanel systems immediately, run the following command as root:

/scripts/eximup

FreeBSD systems should be running Exim 4.72 by default, which is not affected by this issue.

FAQ

This notification covers CVE-2010-4344.

The notification release earlier on December 10, 2010 with the summary "A privilege escalation vulnerability exists in Exim, the mail transfer agent used by cPanel & WHM." covers CVE-2010-4345. At the time of the earlier announcement, the CVE had not been assigned.

References

Critical: Exim security update (CVE-2010-4345) - cPanel Inc.

Official Record CVE-2010-4344

Debian Bug Report for CVE-2010-4344

[exim-dev] Remote root vulnerability in Exim

Re: [exim-dev] Remote root vulnerability in Exim 

Summary

A privilege escalation vulnerability exists in Exim, the mail transfer agent used by cPanel & WHM.

Security Rating
This update has been rated as Critical by the cPanel Security team. 

Description
Research up to this point indicates the exploit is a buffer overflow vulnerability that takes advantage of the default Exim configuration settings related to altering Exim's runtime configuration file along with overriding the macro definitions in the configuration file. This buffer overflow may lead to arbitrary code execution with the privileges of the user executing the Exim daemon. However, the Exim user retains root privileges when running the -C and -D command line flags. Through the creation of a temporary exim configuration which is processed with the -C or -D flags, the Exim user is able to execute arbitrary commands as root.

This vulnerability is tracked by CVE-2010-4345.

Solution
To resolve and work around the issue, for Linux-based systems cPanel has issued new Exim RPMs. The new version of Exim locks configuration file locations to the /etc/exim prefix as well as disabling use of the -D flag. Server Owners are strongly urged to upgrade to the following Exim RPM versions:

• Systems configured to use Maildir: Exim 4.69-25
• Systems configured to use mbox (deprecated): Exim 4.63-4

Exim RPMs will be distributed through cPanel's package management system. All cPanel & WHM servers receiving updates automatically will receive the updated Exim RPM during normal update and maintenance operations (upcp).  If you prefer to install the update right now, please run the following in a root shell:

   /scripts/eximup

On cPanel & WHM FreeBSD servers, Exim is an unmanaged install performed from the Ports system. To apply a like setup on FreeBSD systems, server administrators will need to perform the following manual configuration:

• Remove WITHOUT_ALT_CONFIG_PREFIX=yes from /etc/make.conf
• Add the following to /var/db/ports/exim/options

WITH_ALT_CONFIG_PREFIX=true

SEDLIST+= -e 's,^(ALT_CONFIG_PREFIX=).*,\1/etc/exim,'

SEDLIST+= -e 's,^\# (DISABLE_D_OPTION=),\1,'

• Change directory to /usr/ports/mail/exim
• Execute 'make deinstall'
• Execute 'make install'

Caution: the above changes have potential to be undone by /scripts/checkmakeconf, and updates to the Exim port. An upcoming version of cPanel & WHM 11.28 will resolve this for FreeBSD users.

References

http://docs.cpanel.net/twiki/bin/view/AllDocumentation/SecurityLevels

http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html

http://bugs.exim.org/show_bug.cgi?id=1044

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4345

On December 1, 2011 the ProFTPD Project team announced that the Project's main FTP server, as well as mirror servers, were compromised. The ProFTPD 1.3.3c source code was modified to include a backdoor.

The cPanel & WHM Development team obtained the ProFTPD 1.3.3c sources prior to the compromise. Additionally, the Development team has verified that the binary version distributed to cPanel & WHM servers is not affected by this issue. Currently, all product update tiers are set for ProFTPD 1.3.3c.

References:

ProFTPD Compromise Announcement

ProFTPD Project Site

A Linux Kernel Exploit has been released that directly impacts all 64-bit kernels.   It is highly recommended you review the links below to gather more information on this exploit.

cPanel is providing this as information only.  The scope of support that is provided with cPanel/WHM does not include security related operating system support.    Please seek the advice of an expert if you are unsure or have further questions about the workaround or exploit.

This only affects x86_64 machines. Please ignore this message if you are running a i386/32-bit only machine

The below is a temporary workaround for the recent local root security hole in the Linux kernel. This workaround will adversely affect some systems. A partial list of this adverse reactions is listed below. Please think carefully, and seek the advise of an expert if you are unsure if you should apply this workaround. As soon is it becomes available and deemed stable for use, you should get an updated kernel from your Linux kernel vendor.

cPanel/WHM specific items to be aware of.

The below patch will break anything that requires 32-bit compatibility mode. cPanel does distribute true 64 bit binaries. In theory most things should be fine.

echo ':32bits:M:0:\x7fELF\x01::/bin/echo:' > /proc/sys/fs/binfmt_misc/register


In testing we have found that most things work just fine, however the following issues were discovered:

• Both courier and MySQL are recompiled from source rather than being installed via RPM. This issue is resolved and will be available in the next 11.27 build. For your convenience we also provide a patch for this, attached to this advisory. To apply this patch:
  • Download the patch to your server
  • Execute the path command via SSH like:
               patch -p0 < courierup-mysqlup-32bitdisabled.patch.txt

Note: if the patch file is not in your current directory you will need to provide the full path to it when passing it to the patch command

•  Frontpage will not function at all
• 3rd party 32-bit binary-only Apache and PHP modules may not function properly
   

References:
http://forums.cpanel.net/f185/x86_64-kernel-exploit-165758.html#post692222
https://www.ksplice.com/uptrack/cve-2010-3081.ssi.xhtml
http://linux.slashdot.org/article.pl?sid=10/09/20/0217204

Summary

cPanel 11.25.0 provides mechanisms to prevent Cross Site Request Forgery attacks.

Security Rating

This update has been rated as having an Important security rating by the cPanel Security team.

Description

All versions of cPanel prior to version 11.25.0 are vulnerable to cross site request forgery attacks. Cross-site request forgery, often abbreviated as CSRF or XSRF, exploits the trust a website has in a user's browser. By exploiting that trust a malicious user can execute unauthorized commands on a website.

Solution

cPanel 11 users should upgrade to version 11.25.0 which contain mechanisms to prevent these types of attacks. To insure full protection, the following options in Tweak Settings are strongly recommended to be enabled:

• Require security tokens for all interfaces. This will greatly improve the security of cPanel and WHM against XSRF attacks, but may break integration with other systems, login applications, billing software and third party themes.
• Validate the IP addresses used in all cookie based logins. This will limit the ability of attackers who capture cPanel session cookies to use them in an exploit of the cPanel or WebHost Manager interfaces. For this setting to have maximum effectiveness, proxydomains should also be disabled.
• Disable Http Authentication for cPanel/WebMail/WHM Logins (forces cookie authentication.) This will help prevent certain types of XSRF attacks that rely on cached Http Auth credentials.

In addition it is recommended the following Tweak Settings be disabled:

• Add proxy VirtualHost to httpd.conf to automatically redirect unconfigured cpanel, webmail, webdisk and whm subdomains to the correct port (requires mod_rewrite and mod_proxy)
• Automatically create cpanel, webmail, webdisk and whm proxy subdomain DNS entries for new accounts. When this is initially enabled it will add appropriate proxy subdomain DNS entries to all existing accounts. (Use /scripts/proxydomains to reconfigure the DNS entries manually)

References

1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2043
2. http://secunia.com/advisories/30027