News

Important: New Information about cPanel & WHM 11.30, 11.32, and 11.34 Updates Now Available

Summary:

cPanel & WHM 11.30.7.4; 11.32.5.15; 11.34.0.11, which fixes multiple security issues, is now available for download.

cPanel has rated these updates as having important security impact. Information on security ratings is available at http://go.cpanel.net/securitylevels.

Description:

The Perl Storable module provides support for serialization and deserialization of Perl data structures. In cPanel & WHM this functionality is used for caching data to disk and transferring data between processes. In many areas this caching and interprocess communication crosses privilege separation boundaries. A local malicious user could use this behavior to inject code into serialized data structures, thus allowing for code execution and possibility of privilege escalation.

The Perl YAML::Syck module provides similar functionality as the Storable module. The version of YAML::Syck used in previous releases of cPanel & WHM allowed serialized data to be blessed into arbitrary packages as it was deserialized. This could be leveraged to perform unsafe actions in object destructors.

The version of Locale::Maketext used in previous releases of cPanel & WHM suffered from two flaws in the _compile() function which allowed authenticated users to execute arbitrary code by supplying specially crafted translatable phrases.

cPanel & WHM relies on the Crypt::Passwd::XS Perl module to perform password hashing. This module suffers from the same vulnerability disclosed in CVE-2012-2143 where passwords with the 0×80 character are truncated when hashed using the DES crypt algorithm. cPanel & WHM systems are configured by default to use the stronger MD5 and SHA512 crypt password hashing algorithms.

The version of Cpanel::Locale used in previous releases of cPanel & WHM included two date formatting functions that passed unsanitized user input to a subprocess shell. An authenticated attacker could use this functionality to execute arbitrary shell commands on the local system bypassing normal restrictions on local code execution.

These issues were discovered by various members of the Development and Quality Assurance teams at cPanel.

Solution:

We recommend updating your cPanel & WHM system as follows;

Update cPanel & WHM 11.30 to 11.30.7.3 or newer.
Update cPanel & WHM 11.32 to 11.32.5.14 or newer.
Update cPanel & WHM 11.34 to 11.34.0.10 or newer.

To check which version of cPanel you have, go to http://docs.cpanel.net/twiki/bin/view/AllDocumentation/MyVersion

A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

References:

Case 59926 Multiple privilege escalation vulnerabilities due to the use of Storable for serialization http://cpanel.net/case-59926/
Case 60203 Password hashes truncated by 0×80 characters
http://cpanel.net/case-60203/
Case 60970 Privilege escalation vulnerabilities due to the use of YAML::Syck for serialization
http://cpanel.net/case-60970/
Case 61251 Arbitrary code execution via translatable phrases due to the use of Locale::Maketext
http://cpanel.net/case-61251/
Case 62230 Shell code injection via translatable phrases in Cpanel::Locale http://cpanel.net/case-62230/

Case 62230

Summary

Shell code injection via translatable phrases in Cpanel::Locale

Security Rating

cPanel has assigned a Security Level of “Important” to this vulnerability.

Description

The Cpanel::Locale module wraps around Perl’s Locale::Maketext module and extends it to provide additional Maketext tags and functionality. Locale::Maketext is used to render translatable phrases into a user’s chosen locale. cPanel & WHM uses this module to display all translatable phrases in the cPanel, WHM and Webmail interfaces.

The version of Cpanel::Locale used in previous releases of cPanel & WHM included two date formatting functions that passed unsanitized userinput to a subprocess shell. An authenticated attacker could use this functionality to execute arbitrary shell commands on the local system bypassing normal restrictions on local code execution.

This vulnerability was discovered by the cPanel Quality Assurance Team.

Solution

This issue is resolved in the following builds:

* 11.34.0.10 and greater
* 11.32.5.14 and greater
* 11.30.7.3 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Case 61251

Summary

Arbitrary code execution via translatable phrases due to the use of Locale::Maketext

Security Rating

cPanel has assigned a Security Level of “Important” to this vulnerability.

Description

The Perl Locale::Maketext module is used to render translatable phrases into a user’s chosen locale. cPanel & WHM uses this module to display all translatable phrases in the cPanel, WHM and Webmail interfaces.

The version of Locale::Maketext used in previous releases of cPanel & WHM suffered from two flaws in the _compile() function which allowed authenticated users to execute arbitrary code by supplying specially crafted translatable phrases:

1. The _compile() function improperly escaped backslash characters inside of maketext tags. The improperly escaped data was then fed into a Perl eval().

2. The _compile() function included support for package namespaced maketext tags that could be used to execute functions that were not designed to be treated as maketext tags.

This vulnerability was discovered by the cPanel Quality Assurance Team.

Solution

This issue is resolved in the following builds:

* 11.34.0.10 and greater
* 11.32.5.14 and greater
* 11.30.7.3 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Case 60970

Summary

Privilege escalation vulnerabilities due to the use of YAML::Syck for serialization

Security Rating

cPanel has assigned a Security Level of “Important” to this vulnerability.

Description

The Perl YAML::Syck module provides support for serialization and deserialization of data structures using the YAML format. In cPanel & WHM this functionality is used for storing human readable configuration files and some interprocess communication. In some areas the use of YAML crosses privilege separation boundaries.

The version of YAML::Syck used in previous releases of cPanel & WHM allowed serialized data to be blessed into arbitrary packages as it was deserialized. This could be leveraged to perform unsafe actions in object destructors.

This vulnerability was discovered by the cPanel Quality Assurance Team.

Solution

This issue is resolved in the following builds:

* 11.34.0.10 and greater
* 11.32.5.14 and greater
* 11.30.7.3 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Case 60203

Summary

Password hashes truncated by 0×80 characters

Security Rating

cPanel has assigned a Security Level of “Moderate” to this vulnerability.

Description

cPanel & WHM relies on the Crypt::Passwd::XS Perl module to perform password hashing. This module suffers from the same vulnerability disclosed in CVE-2012-2143 where passwords with the 0×80 character are truncated when hashed using the DES crypt algorithm. cPanel & WHM systems are configured by default to use the stronger MD5 and SHA512 crypt password hashing algorithms.

This vulnerability was discovered by the cPanel Quality Assurance Team.

Solution

This issue is resolved in the following builds:

* 11.34.0.10 and greater
* 11.32.5.14 and greater
* 11.30.7.3 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Case 59926

Summary

Multiple privilege escalation vulnerabilities due to the use of Storable for serialization

Security Rating

cPanel has assigned a Security Level of “Important” to this vulnerability.

Description

The Perl Storable module provides support for serialization and deserialization of Perl data structures. In cPanel & WHM this functionality is used for caching data to disk and transferring data between processes. In many areas this caching and interprocess communication crosses privilege separation boundaries.

The version of Storable used in previous releases of cPanel & WHM was unsuitable for this task for multiple reasons:

1. Serialized data was blessed into arbitrary packages as it was deserialized. This could be leveraged to perform unsafe actions in object destructors.

2. Serialized data was tied into arbitrary packages when it was deserialized. This could be leveraged to perform unsafe actions by tieing arbitrary data to sensitive package interfaces.

3. Storable attempted to load code as it deserialized data to create objects where it was lacking an existing class definition. This code loading could be leveraged to bypass normal @INC safety checks or to load security sensitive packages into the process performing the deserialization.

This vulnerability was discovered by the cPanel Quality Assurance Team.

Solution

This issue is resolved in the following builds:

* 11.34.0.10 and greater
* 11.32.5.14 and greater
* 11.30.7.3 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Important information about today’s update for servers that updated between 1pm – 2pm CST

Due to this morning’s security release, we are seeing heavier than normal network traffic, and have made adjustments that will compensate for this traffic. We apologize for excessive communication during this security release; we want every customer to have a good experience with our support and our software. If your server performed the update process between 1pm and 2pm CST, we recommend verifying the version number or re-running the update.

It is also important to note these issues have nothing to do with the security of cPanel software. More information about the cPanel & WHM 11.30 / 11.32 and 11.34 security announcement will be emailed and posted to www.cpanel.net December 6th 2012.

For information regarding our Versions and Release Process, please see attached link.
http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/CpanelProductVersions

Important: cPanel & WHM 11.34 Security Release

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated this update as having important security impact. Information on security ratings is available at http://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then you are highly encouraged to update your cPanel & WHM installs at your earliest convenience.

Releases

Version 11.34.0.11 of cPanel & WHM addresses all known vulnerabilities. The latest public releases of cPanel & WHM for all update tiers are published at http://httpupdate.cpanel.net.

Security Issue Information

The resolved security issues were identified by various members of the development and quality assurance teams at cPanel. There is no reason to believe that these vulnerabilities are known to the public. As such, cPanel will only release limited information regarding the vulnerabilities.

Once sufficient time has passed to allow cPanel & WHM systems to automatically update their installed software to the new versions, cPanel will release additional information regarding the nature of the security issue. This Targeted Security Release addresses five vulnerabilities. Additional information is scheduled to be released December 6, 2012, via email.

For information regarding our Versions and Release Process, please see attached link.
http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/CpanelProductVersions

Important: cPanel & WHM 11.32 Security Release

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated this update as having important security impact. Information on security ratings is available at http://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then you are highly encouraged to update your cPanel & WHM installs at your earliest convenience.

Releases

Version 11.32.5.15 of cPanel & WHM addresses all known vulnerabilities. The latest public releases of cPanel & WHM for all update tiers are published at http://httpupdate.cpanel.net.

Security Issue Information

The resolved security issues were identified by various members of the development and quality assurance teams at cPanel. There is no reason to believe that these vulnerabilities are known to the public. As such, cPanel will only release limited information regarding the vulnerabilities.

Once sufficient time has passed to allow cPanel & WHM systems to automatically update their installed software to the new versions, cPanel will release additional information regarding the nature of the security issue. This Targeted Security Release addresses five vulnerabilities. Additional information is scheduled to be released December 6, 2012, via email.

For information regarding our Versions and Release Process, please see attached link.
http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/CpanelProductVersions

Important: cPanel & WHM 11.30 Security Release

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated this update as having important security impact. Information on security ratings is available at http://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then you are highly encouraged to update your cPanel & WHM installs at your earliest convenience.

Releases

Version 11.30.7.4 of cPanel & WHM addresses all known vulnerabilities. The latest public releases of cPanel & WHM for all update tiers are published at http://httpupdate.cpanel.net.

Security Issue Information

The resolved security issues were identified by various members of the development and quality assurance teams at cPanel. There is no reason to believe that these vulnerabilities are known to the public. As such, cPanel will only release limited information regarding the vulnerabilities.

Once sufficient time has passed to allow cPanel & WHM systems to automatically update their installed software to the new versions, cPanel will release additional information regarding the nature of the security issue. This Targeted Security Release addresses five vulnerabilities. Additional information is scheduled to be released December 6, 2012, via email.

For information regarding our Versions and Release Process, please see attached link.
http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/CpanelProductVersions