Multiple vulnerabilities in cPanel
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2017-5613 |
| CWE-ID | CWE-521 CWE-79 CWE-200 CWE-134 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #4 is being exploited in the wild. |
| Vulnerable software |
cPanel Web applications / Remote management & hosting panels |
| Vendor | cPanel, Inc |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Weak password
EUVDB-ID: #VU4863
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-521 - Weak Password Requirements
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to database.
The Munin monitoring tool includes a plugin to check the status of the MySQL service. This plugin used a dedicated test MySQL user to provide this functionality. The password set for this user was identical to the username. In cPanel’s current configuration of Munin, this MySQL user is no longer required and has been removed.
Successful exploitation of this vulnerability may allow an attacker to gain unauthorized access to MySQL database.
MitigationThis issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36
cPanel: 11.54.0.0 - 11.62.0.2
CPE2.3- cpe:2.3:a:cpanel:cpanel:11.54.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:11.54.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:11.54.0.2:*:*:*:*:*:*:*
https://news.cpanel.com/tsr-2017-0001-full-disclosure/ (SEC-196)
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site scripting
EUVDB-ID: #VU4864
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionVulnerability allows a remote authenticated attacker to perform XSS attacks.
The vulnerability is caused by an input validation error in reset password interfaces. A remote authenticated attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Additionally, several self-XSS vulnerabilities were also patched.
This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36
cPanel: 11.54.0.0 - 11.62.0.2
CPE2.3- cpe:2.3:a:cpanel:cpanel:11.54.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:11.54.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:11.54.0.2:*:*:*:*:*:*:*
https://news.cpanel.com/tsr-2017-0001-full-disclosure/ (SEC-198)
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Arbitrary file disclosure
EUVDB-ID: #VU4873
Risk: Low
CVSSv4.0: 3.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to read arbitrary files on the system.
The vulnerability exists due to an error when processing valiases for users. A remote authenticated user can create valias, which includes other files, and read them with privileges of Exim system user.
Successful exploitation of the vulnerability may allow an attacker to read arbitrary files on the system.
MitigationThis issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
cPanel: 11.58.0.3 - 11.62.0.2
CPE2.3- cpe:2.3:a:cpanel:cpanel:11.58.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:11.58.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:11.58.0.5:*:*:*:*:*:*:*
https://news.cpanel.com/tsr-2017-0001-full-disclosure/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Format string vulnerability
EUVDB-ID: #VU6353
Risk: Critical
CVSSv4.0: 9.4 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/U:Red]
CVE-ID: CVE-2017-5613
CWE-ID:
CWE-134 - Use of Externally-Controlled Format String
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a format string error within cgiemail and cgiecho binaries when processing template files. A remote authenticated attacker can create a specially crafted file, containing form string specifiers and execute arbitrary code on the target system.
Successful exploitation may allow an attacker to compromise vulnerable system.
Note: this vulnerability has been exploited in the wild and was disclosed by the Shadow Brokers leak. The exploit is known as ElegantEagle.
MitigationThe vulnerability is fixed in the following versions: 54.0.36, 56.0.43, 58.0.43, and 60.0.35.
cPanel: 11.54.0.0 - 11.60.0.34
CPE2.3- cpe:2.3:a:cpanel:cpanel:11.54.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:11.54.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:11.54.0.2:*:*:*:*:*:*:*
https://news.cpanel.com/tsr-2017-0001-full-disclosure/
https://news.cpanel.com/cpanel-security-team-cgiemail-cve-2017-5613/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
