TSR-2013-0008 Disclosure

The following disclosure covers the TSR-2013-008, the Targeted Security
Release published on July 15th, 2013. Each vulnerability is assigned an
internal case number which is reflected below. Information regarding
the cPanel Security Level rankings can be found here:
http://go.cpanel.net/securitylevels

Case 71121

Summary

The Squirrelmail Webmail session file contained plain text passwords.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

cPanel includes the SquirrelMail Webmail suite as one option for
Webmail accounts to access their email using a web browser. The
included copy of SquirrelMail stored the password used to authenticate
in a cleartext format in its session files. The session files are
stored in the /tmp/ directory with with 0600 (rw——-) permissions,
limiting access to the plaintext passwords to the system user account.

Credits

This issue was discovered by Alex Kwiecinski of the Liquid Web Security
Team.

Solution

This issue is resolved in the following builds:
* 11.39.0.5 & Greater
* 11.38.1.13 & Greater
* 11.36.1.15 & Greater
* 11.34.1.25 & Greater
* 11.32.6.17 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at
http://httpupdate.cpanel.net/.

Case 72157

Summary

Arbitrary File Modification vulnerability when suspending an account.

Security Rating

cPanel has assigned a Security Level of Important to this
vulnerability.

Description

cPanel & WHM includes functionality to automatically suspend cPanel
accounts that consume more than their allotted limits of disk and
bandwidth resources. The account suspension process makes several
changes inside the suspended user account’s home directory. It was
discovered that manipulations of virtual account password files that
are stored inside the user’s home directory were performed with the
effective permissions of the root user and without sufficient
protections against tampering. This allowed a local attacker whose
account was being suspended to manipulate sensitive files outside of
their home directory.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
* 11.39.0.5 & Greater
* 11.38.1.13 & Greater
* 11.36.1.15 & Greater
* 11.34.1.25 & Greater
* 11.32.6.17 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 71573

Summary

A reseller account with clustering privileges can modify any DNS zone
on the system.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability

Description

cPanel & WHM includes a DNS clustering system called DNSAdmin that
allows DNS changes to propagate beyond the local system. This system
functions through specific URLs inside WHM that are accessible only to
reseller accounts with the “clustering” privilege. The URLs in cpsrvd
that handle DNSAdmin cluster requests were not enforcing local zone
ownership correctly, allowing a malicious reseller with the clustering
privilege to send updates for DNS zones that did not belong to his
accounts.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
* 11.39.0.5 & Greater
* 11.38.1.13 & Greater
* 11.36.1.15 & Greater
* 11.34.1.25 & Greater
* 11.32.6.17 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 71625

Summary

A reseller account with park-dns privileges can take control of any
domain on the system.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability

Description

WHM allows resellers with the “park-dns” ACL to assign ownership of a
parked domain from one cPanel account to another. This functionality
was not checking that the domain being reassigned belonged to an
account the reseller controlled. A malicious reseller account with the
“park-dns” ACL could use this flaw to take control of any other domains
on the system.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
* 11.39.0.5 & Greater
* 11.38.1.13 & Greater
* 11.36.1.15 & Greater
* 11.34.1.25 & Greater
* 11.32.6.17 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/

Case 71577

Summary

The Purchase and Install an SSL Certificate (Trustwave) feature does
not drop privileges during certificate file creation.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability

Description

The WHM “Purchase and Install an SSL Certificate” page allows reseller
accounts with the “ssl” or “ssl-buy” ACLs to purchase SSL certificates
from Trustwave for installation on the local system. This interface
failed to drop privileges before creating a file in the reseller’s home
directory, allowing malicious resellers with appropriate ACLs to
overwrite arbitrary files on the system.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
* 11.39.0.5 & Greater
* 11.38.1.13 & Greater
* 11.36.1.15 & Greater
* 11.34.1.25 & Greater
* 11.32.6.17 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/

For a PGP signed version, please go here.

Posted in: News, Security | Tagged: , , , , , ,