Security Advisory 2013-07-23

SUMMARY

The Apache HTTPD Server Project have released httpd-2.2.25 and httpd-2.4.6 to correct multiple vulnerabilities that were issues CVE’s.

Apache HTTP Server 2.2.25

CVE-2013-1896 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML)
pointing to a URI that is not configured for DAV will trigger a segfault.

CVE-2013-1862 mod_rewrite: Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file.

AFFECTED VERSIONS

All versions of Apache 2.2 before 2.2.25.

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2013-1896 – MEDIUM
CVE-2013-1862 – MEDIUM

Apache HTTP Server 2.4.6

CVE-2013-2249 mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session
without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors.

CVE-2013-1896 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML)
pointing to a URI that is not configured for DAV will trigger a segfault.

AFFECTED VERSIONS

All versions of Apache 2.4 before 2.4.6.

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2013-2249 – HIGH
CVE-2013-1896 – MEDIUM

SOLUTION

cPanel, Inc. has released EasyApache 3.20.6 with updated versions of Apache 2.2 and 2.4 to correct these issues. To update, please rebuild your EasyApache
profile. For more information on rebuilding profiles, please consult our documentation (http://go.cpanel.net/ea).

Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. Note that
EasyApache updates must be done manually.

REFERENCES

CVE-2013-1862 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1862)
CVE-2013-2249 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2249)
CVE-2013-1896 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1896)

Apache 2.2.25 Announcement (http://www.apache.org/dist/httpd/Announcement2.2.html)
Apache 2.4.6 Announcement (http://www.apache.org/dist/httpd/Announcement2.4.html)

For the PGP Signed message, please go here.

Posted in News, Security | Tagged: , , , , , , ,

Security Advisory 2013-07-22

SUMMARY
Mod_Security was found to have a Remote Null Pointer Dereference vulnerability that could cause it to crash.

SECURITY RATING
The cPanel Security Team has rated this update has having moderate security impact.
Information on security ratings is available at: http://go.cpanel.net/securitylevels.

DETAIL
CVE-2013-2765 states: “When forceRequestBodyVariable action is triggered and a unknown Content-Type is used, mod_security
will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL.”

AFFECTED VERSIONS
All versions of mod_security before 2.7.4.

SOLUTION
cPanel, Inc has released EasyApache 3.20.4 which includes mod_security version 2.7.4 to correct this issue. To update, rebuild your EasyApache profile. For more information on rebuilding profiles, please consult our documentation (http://go.cpanel.net/ea)

RELEASES
EasyApache v3.20.4 addresses the mod_security vulnerability.
Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. Note that EasyApache updates must be done manually.

REFERENCES
CVE-2013-2765 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2765)
Red Hat Security Response Team (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2765)
Mod_Security ChangeLog (https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES)

For the PGP signed message, please go here.

Posted in News, Security | Tagged: , ,

TSR-2013-0008 Disclosure

The following disclosure covers the TSR-2013-008, the Targeted Security
Release published on July 15th, 2013. Each vulnerability is assigned an
internal case number which is reflected below. Information regarding
the cPanel Security Level rankings can be found here:
http://go.cpanel.net/securitylevels

Case 71121

Summary

The Squirrelmail Webmail session file contained plain text passwords.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

cPanel includes the SquirrelMail Webmail suite as one option for
Webmail accounts to access their email using a web browser. The
included copy of SquirrelMail stored the password used to authenticate
in a cleartext format in its session files. The session files are
stored in the /tmp/ directory with with 0600 (rw——-) permissions,
limiting access to the plaintext passwords to the system user account.

Credits

This issue was discovered by Alex Kwiecinski of the Liquid Web Security
Team.

Solution

This issue is resolved in the following builds:
* 11.39.0.5 & Greater
* 11.38.1.13 & Greater
* 11.36.1.15 & Greater
* 11.34.1.25 & Greater
* 11.32.6.17 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at
http://httpupdate.cpanel.net/.

Case 72157

Summary

Arbitrary File Modification vulnerability when suspending an account.

Security Rating

cPanel has assigned a Security Level of Important to this
vulnerability.

Description

cPanel & WHM includes functionality to automatically suspend cPanel
accounts that consume more than their allotted limits of disk and
bandwidth resources. The account suspension process makes several
changes inside the suspended user account’s home directory. It was
discovered that manipulations of virtual account password files that
are stored inside the user’s home directory were performed with the
effective permissions of the root user and without sufficient
protections against tampering. This allowed a local attacker whose
account was being suspended to manipulate sensitive files outside of
their home directory.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
* 11.39.0.5 & Greater
* 11.38.1.13 & Greater
* 11.36.1.15 & Greater
* 11.34.1.25 & Greater
* 11.32.6.17 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 71573

Summary

A reseller account with clustering privileges can modify any DNS zone
on the system.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability

Description

cPanel & WHM includes a DNS clustering system called DNSAdmin that
allows DNS changes to propagate beyond the local system. This system
functions through specific URLs inside WHM that are accessible only to
reseller accounts with the “clustering” privilege. The URLs in cpsrvd
that handle DNSAdmin cluster requests were not enforcing local zone
ownership correctly, allowing a malicious reseller with the clustering
privilege to send updates for DNS zones that did not belong to his
accounts.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
* 11.39.0.5 & Greater
* 11.38.1.13 & Greater
* 11.36.1.15 & Greater
* 11.34.1.25 & Greater
* 11.32.6.17 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 71625

Summary

A reseller account with park-dns privileges can take control of any
domain on the system.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability

Description

WHM allows resellers with the “park-dns” ACL to assign ownership of a
parked domain from one cPanel account to another. This functionality
was not checking that the domain being reassigned belonged to an
account the reseller controlled. A malicious reseller account with the
“park-dns” ACL could use this flaw to take control of any other domains
on the system.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
* 11.39.0.5 & Greater
* 11.38.1.13 & Greater
* 11.36.1.15 & Greater
* 11.34.1.25 & Greater
* 11.32.6.17 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/

Case 71577

Summary

The Purchase and Install an SSL Certificate (Trustwave) feature does
not drop privileges during certificate file creation.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability

Description

The WHM “Purchase and Install an SSL Certificate” page allows reseller
accounts with the “ssl” or “ssl-buy” ACLs to purchase SSL certificates
from Trustwave for installation on the local system. This interface
failed to drop privileges before creating a file in the reseller’s home
directory, allowing malicious resellers with appropriate ACLs to
overwrite arbitrary files on the system.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
* 11.39.0.5 & Greater
* 11.38.1.13 & Greater
* 11.36.1.15 & Greater
* 11.34.1.25 & Greater
* 11.32.6.17 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/

For a PGP signed version, please go here.

Posted in News, Security | Tagged: , , , , , , ,

Targeted Security Release-2013-0008

cPanel has released new builds for all public update tiers. These
updates provide targeted changes to address security concerns with
the cPanel & WHM product. These builds are currently available to all
customers via the standard update system.

cPanel has rated these updates as having security impact levels ranging
from Minor to Important.

Information on cPanel’s security ratings is available at
http://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically
update when new releases are available, then no action is required.
Your systems will update automatically. If you have disabled automatic
updates, then we strongly encourage you to update your cPanel & WHM
installations at your earliest convenience.

Releases

The following cPanel & WHM versions address all known vulnerabilities:

* 11.39.0.5 & Greater
* 11.38.1.13 & Greater
* 11.36.1.15 & Greater
* 11.34.1.25 & Greater
* 11.32.6.17 & Greater

The latest public releases of cPanel & WHM for all update tiers are
available at http://httpupdate.cpanel.net.

Security Issue Information

The cPanel security team and independent security researchers
identified the resolved security issues. There is no reason to believe
that these vulnerabilities have been made known to the public. As such,
cPanel will only release limited information about the vulnerabilities
at this time.

Once sufficient time has passed, allowing cPanel & WHM systems to
automatically update to the new versions, cPanel will release
additional information about the nature of the security issues. This
Targeted Security Release addresses 5 vulnerabilities in cPanel & WHM
software versions 11.39, 11.38, 11.36, 11.34, and 11.32.

Additional information is scheduled for release on July 17th, 2013.

For information about our Versions and Release Process, read the
following document:

http://go.cpanel.net/versionformat

For the PGP signed version, go here

Posted in News, Security, Software Updates | Tagged: , , , , ,

EasyApache 3.20 Now Available, Including Tomcat 7

July 9, 2013
Houston, TX-

cPanel, Inc announces the release of EasyApache 3.20

The 3.20 release of EasyApache brings a number of improvements to the cPanel & WHM hosting platform. Notable among these is Tomcat 7, the modern means of providing Java web applications.

Tomcat 7 provides a Tomcat Administrator with a myriad of benefits for deploying web applications and managing Java development projects including:

Automatic Servlet Configuration After a cPanel&WHM Version Upgrade and Server Transfer
Automatic Tomcat Log Rotation
JSP, WAR File, and Servlet Test Pages for Testing and Troubleshooting
Tomcat Restarts Automatically with Apache if Enabled
EasyApache 3.20 Utilizes Tomcat 7.0.41

Tomcat 7 is the first part of the EasyApache application to be released as pre-built RPMs. Users will experience quicker installations and updates of Tomcat due to this change. Upgrades from the older Tomcat 5.5 should be seamless.

The team behind EasyApache are excited about the many changes brought in version 3.20. The team is also proud to announce, “We are pleased that no Tomcatz were harmed in the production of EasyApache 3.20.”

Tomcat 7 has a minimum requirement of cPanel & WHM version 11.38.0.8, as well as Apache 2.2 or later.

More information about the changes in EasyApache 3.20, and Tomcat 7, is available in our EasyApache documentation .

To share your Tomcat 7 experience with others, please feel free to join in the discussion at http://features.cpanel.net/responses/tomcat-7-support-in-easyapache

Posted in News, Press Releases, Software Updates | Tagged: , ,

cPanel Security Disclosure: TSR-2013-0007

Important: cPanel Security Disclosure TSR-2013-0007

The following disclosure covers the Targeted Security Release 2013-06-26.
Each vulnerability is assigned an internal case number which is reflected below.

Information regarding the cPanel Security Level rankings can be found here:http://go.cpanel.net/securitylevels

Case 71193

Summary

Local cPanel users are able to take over ownership of any file or directory on the system.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The log processing subsystem, cpanellogd, on cPanel & WHM servers offers an option for users to create an archive of their domain’s access logs in their home directory. During the preparatory steps for archiving, Cpanel::Logs::prep_logs_path performs a variety of checks to ensure a proper operating environment exists. A number of these checks are performed by a root-privileged process on files and directories in a user’s home directory. A malicious user could take advantage of this behavior to take ownership of important files on the same file system as his home directory.

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

* 11.38.1.4 and greater
* 11.38.0.19 and greater
* 11.36.1.9 and greater
* 11.34.1.17 and greater
* 11.32.6.8 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Case 71109

Summary

Local cPanel users are able to take over ownership of any file or directory on the system.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The log processing subsystem, cpanellogd, on cPanel & WHM servers offers an option for users to create an archive of their domain’s access logs in their home directory. When cpanellogd creates these archives, some operations are performed by a root-privileged process in the user’s home directory. Through the use of a carefully crafted hard link a malicious user could take advantage of this behavior to take ownership of any file on the same file system as his home directory.

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

* 11.38.1.4 and greater
* 11.38.0.19 and greater
* 11.36.1.9 and greater
* 11.34.1.17 and greater
* 11.32.6.8 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

For the PGP Signed Message, Please go here.

Posted in News, Security | Tagged: , ,

cPanel Conference ’13 Announced

cPanel, Inc., recently announced that cPanel Conference ’13 will be held in New Orleans, LA, September 30th – October 2nd, 2013.

Visit conference.cpanel.net to sign up for updates or to view the Conference Prospectus, which includes exhibitor and sponsorship opportunities.

You can also email any questions to conference@cpanel.net

Posted in Events

ResellerClub Hosting Summit Event

This October we’re sending representatives from cPanel to the ResellerClub Hosting Summit event in New Delhi, India. Those lucky few will get a chance to network with top technical companies from all over the world.

Posted in Events

11.39 Anticipated Push to the EDGE Tier

6/24/2013
Houston, TX-

Anticipated this week, June 24th, 2013, 11.39 will be pushed to the EDGE tier. This new build includes the following changes and updates to cPanel & WHM software:

-Added support for using cPanel & WHM in a 1:1 NAT environment
-Dovecot is upgraded to version 2.2 and it is now possible to enable auto-purging of deleted emails when using Dovecot
-Updated Logaholic to version 4.0.5
-Provides Razor2::Client::Agent with SpamAssassin
-Removed the ancient Java Telnet Application
-Added the ability to load custom CSS in WHM to allow simple customizations
-Added the homedir and homeroot data to the pre and post Whostmgr::Accounts::Create hooks
*MySQL 5.1, or higher, is required.

If you enjoy testing bleeding edge software, being involved in an energetic highly skilled community, and providing feedback, we invite you to join our beta testing group. Simply sign up for our edge users mailing list , configure a non-production cPanel & WHM server for the edge tier, and hold on to your electrons.

Posted in News, Software Updates | Tagged: , ,

11.38 Impending Push to STABLE

6/18/2013
Houston, TX-

cPanel, Inc. announces the impending release of cPanel & WHM software version 11.38.

cPanel & WHM software release 11.38, is anticipated to move to the STABLE tier the week of June 24, 2013. This release offers significant improvements to SSL Management and Backups. It also provides enhancements to jail shell, email auto configuration, and more.

Included in 11.38:

Improved SSL Management

The improved SSL management system offers a number of enhancements; support for UCC certificates, SNI (Server Name Indication), and enhanced support for Wildcard SSL certificates. This allows cPanel users to host multiple SSL websites on the same account. cPanel & WHM software users will notice changes to the user interfaces that simplify installing, managing the various SSL certificates, keys, and signing requests associated with their domains.

System and Account Backups

cPanel introduces a new backup system with software release 11.38. Among the changes are the ability to store backups in multiple locations, reduction in the time needed to perform a full backup, and a complete set of functionality for automating backups.

Backup restoration is also enhanced. A new queuing system allows system administrators to perform other operations within cPanel & WHM software while restorations occur.

Other notable changes include:

* Ability to configure the host used by email autodiscovery, and auto configuration
* Improved email tracking ability by ensuring the From header matches the mail sender
* Use of a single template system for customizing the Apache configuration
* Changes to jail shell, mod_ruid2, and more

Detailed information on all 11.38 features can be found at http://docs.cpanel.net/twiki/bin/view/AllDocumentation/1138ReleaseNotes.For an overview of the latest features available in 11.38, visit http://releases.cpanel.net/category/releases/11-38/.

Posted in News | Tagged: , , ,
Page 10 of 32« First...89101112...2030...Last »