(Oct 15) Security Report Summary
Comment
Archive for October, 2014
40 results.
Case 109049 Summary Arbitrary file overwrite in /scripts/synccpaddonswithsqlhost. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The synccpaddonswithsqlhost script performed unsafe file operations inside the home directories of unprivileged users while running with root’s permissions. By manipulating symbolic links within the .cpaddons sub-directory, a …
All versions of Enkompass reached EOL on February 2014. Effective immediately, Enkompass will no longer be available for download, licensing, or indirect support. In accordance with our EOL policy [http://go.cpanel.net/eol], Enkompass will continue to function on servers after it reaches EOL. However, we will not provide further updates (for example, …
(Oct 14) Security Report Summary
Ubuntu: 2373-1: Thunderbird vulnerabilities
Oct20
on October 20, 2014
at 3:54 am
Posted In: Uncategorized
(Oct 15) Several security issues were fixed in Thunderbird.
(Oct 15) Several security issues were fixed in MySQL.
Red Hat: 2014:1654-01: rsyslog7: Important Advisory
Oct20
on October 20, 2014
at 3:54 am
Posted In: Uncategorized
(Oct 16) Updated rsyslog7 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More…]
Red Hat: 2014:1655-01: libxml2: Moderate Advisory
Oct20
on October 20, 2014
at 3:54 am
Posted In: Uncategorized
(Oct 16) Updated libxml2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security [More…]
(Oct 16) Security Report Summary
EasyApache to Install Apache 2.4 in Basic Profile – 60 Day Notice
Oct19
on October 19, 2014
at 4:16 am
Posted In: Uncategorized
In approximately 60 days, the Basic profile in EasyApache will build Apache 2.4 by default. This change will not alter existing EasyApache profiles that build Apache 2.2. If you plan to update from an existing Apache 2.2 installation to Apache 2.4, we strongly recommend that you build in a test …
(Oct 16) Security Report Summary
Ubuntu: 2385-1: OpenSSL vulnerabilities
Oct19
on October 19, 2014
at 3:54 am
Posted In: Uncategorized
(Oct 16) Several security issues were fixed in OpenSSL.
Ubuntu: 2386-1: OpenJDK 6 vulnerabilities
Oct19
on October 19, 2014
at 3:54 am
Posted In: Uncategorized
(Oct 16) Several security issues were fixed in OpenJDK 6.
Red Hat: 2014:1657-01: java-1.7.0-oracle: Critical Advisory
Oct19
on October 19, 2014
at 3:54 am
Posted In: Uncategorized
(Oct 16) Updated java-1.7.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security [More…]
Red Hat: 2014:1658-01: java-1.6.0-sun: Important Advisory
Oct19
on October 19, 2014
at 3:54 am
Posted In: Uncategorized
(Oct 16) Updated java-1.6.0-sun packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More…]
[Product Update] Parallels Plesk Panel 12.0.18 MU#20
Oct16
on October 16, 2014
at 9:44 am
Posted In: Uncategorized
Release Notes
Parallels is pleased to introduce the update #20 for the version 12.0.18 of Parallels Plesk.
The 12.0.18 update #20 is recommended for all Plesk users. It includes resolution of the issues related to the stability, compatibility, and security of your server.
To ensure optimal server reliability and security, Parallels strongly recommends keeping your operating system and Plesk software up-to-date.
What’s Changed
The following issues were resolved:
[-] (Windows) Plesk reconfigurator could not find the utilities for repairing Plesk services on 64-bit Windows installations. (PPPM-2146)
[-] (Windows) Incorrect ASP.NET version was shown to Plesk users who did not have privileges to manage hosting settings. (PPPM-2153)
[-] (Windows) Applications that required ASP.NET could not be installed if the ASP.NET version supported by a hosting account did not satisfy the application’s requirements. (PPPM-2154)
Legend:
[+] – Added
[-] – Issue resolved
[*] – Improved
Installation Instructions
- #9294: Using Micro-Updates in Parallels Plesk Panel
[Security] [Plesk] CVE-2014-3566: POODLE attack exploiting SSL 3.0 fallback
Oct15
on October 15, 2014
at 12:12 pm
Posted In: Uncategorized
Information
A CVE-2014-3566 vulnerability in SSLv3 protocol was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.
You can check if your are vulnerable using the following script as an
{!{code}!}czoxODc6XCIjIHdnZXQgaHR0cDovL2tiLnNwLnBhcmFsbGVscy5jb20vQXR0YWNobWVudHMva2NzLTQwMDA3L3Bvb2RsZS5zaAojIGN7WyYqJl19aG1vZCAreCBwb29kbGUuc2gKIyBmb3IgaSBpbiBgZWNobyAyMSA1ODcgNDQzIDQ2NSA3MDgxIDg0NDMgOTkzIDk5NSBgOyBkbyAvYntbJiomXX1pbi9zaCAvcm9vdC9wb29kbGUuc2ggJmx0O0lQJmd0OyAkaTsgZG9uZQpcIjt7WyYqJl19{!{/code}!}
Resolution
The attack described above requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol in the client or in the server (or both) will deflect a potential attack.
You may use special scripts below to disable SSLv3 for all the services:
- for Linux – disables Apache, nginx, proftpd, courier-imap, qmail, postfix, dovecot, Plesk server engine (for versions 11.5 and later).
- for Windows – disable SSlv3 server wide.
See instructions below to disable SSLv3 per service.
Apache HTTPD Server
If you’re running Apache, include the following line in your configuration file /etc/httpd/conf/httpd.conf among the other SSL directives:
{!{code}!}czozMDpcIlNTTFByb3RvY29sIEFsbCAtU1NMdjIgLVNTTHYzClwiO3tbJiomXX0={!{/code}!}
And restart the server, e.g.
{!{code}!}czoyOTpcInN1ZG8gc2VydmljZSBhcGFjaGUyIHJlc3RhcnQKXCI7e1smKiZdfQ=={!{/code}!}
Nginx server
If you’re running Nginx, just include the following line in your configuration among the other SSL directives:
{!{code}!}czozNzpcInNzbF9wcm90b2NvbHMgVExTdjEgVExTdjEuMSBUTFN2MS4yOwpcIjt7WyYqJl19{!{/code}!}
additionally for all the sites in Plesk 11.5 for Linux:
{!{code}!}czo0NTQ6XCIjIHNlZCAtaSBcJ3Mvc3NsX3Byb3RvY29scyBTU0x2MiBTU0x2MyBUTFN2MTsvc3NsX3Byb3RvY29scyBUTFN2MSBUTFN2e1smKiZdfTEuMSBUTFN2MS4yOy9nXCcgL3Vzci9sb2NhbC9wc2EvYWRtaW4vY29uZi90ZW1wbGF0ZXMvZGVmYXVsdC9uZ2lueFdlYm1haWxQYXJ0e1smKiZdfWlhbC5waHAKIyBzZWQgLWkgXCdzL3NzbF9wcm90b2NvbHMgU1NMdjIgU1NMdjMgVExTdjE7L3NzbF9wcm90b2NvbHMgVExTdjEgVExTe1smKiZdfXYxLjEgVExTdjEuMjsvZ1wnIC91c3IvbG9jYWwvcHNhL2FkbWluL2NvbmYvdGVtcGxhdGVzL2RlZmF1bHQvbmdpbnhEb21haW5WaXJ0e1smKiZdfXVhbEhvc3QucGhwCiMgc2VkIC1pIFwncy9zc2xfcHJvdG9jb2xzIFNTTHYyIFNTTHYzIFRMU3YxOy9zc2xfcHJvdG9jb2xzIFRMU3Yxe1smKiZdfSBUTFN2MS4xIFRMU3YxLjI7L2dcJyAvdXNyL2xvY2FsL3BzYS9hZG1pbi9jb25mL3RlbXBsYXRlcy9kZWZhdWx0L25naW54Vmhvc3Rze1smKiZdfS5waHAKXCI7e1smKiZdfQ=={!{/code}!}
and sites in Plesk 12.0 for Linux:
{!{code}!}czo0Njg6XCIjIHNlZCAtaSBcJ3Mvc3NsX3Byb3RvY29scyBTU0x2MiBTU0x2MyBUTFN2MTsvc3NsX3Byb3RvY29scyBUTFN2MSBUTFN2e1smKiZdfTEuMSBUTFN2MS4yOy9nXCcgL3Vzci9sb2NhbC9wc2EvYWRtaW4vY29uZi90ZW1wbGF0ZXMvZGVmYXVsdC9uZ2lueFdlYm1haWxQYXJ0e1smKiZdfWlhbC5waHAKIyBzZWQgLWkgXCdzL3NzbF9wcm90b2NvbHMgU1NMdjIgU1NMdjMgVExTdjE7L3NzbF9wcm90b2NvbHMgVExTdjEgVExTe1smKiZdfXYxLjEgVExTdjEuMjsvZ1wnIC91c3IvbG9jYWwvcHNhL2FkbWluL2NvbmYvdGVtcGxhdGVzL2RlZmF1bHQvZG9tYWluL25naW54RG9te1smKiZdfWFpblZpcnR1YWxIb3N0LnBocAojIHNlZCAtaSBcJ3Mvc3NsX3Byb3RvY29scyBTU0x2MiBTU0x2MyBUTFN2MTsvc3NsX3Byb3RvY29se1smKiZdfXMgVExTdjEgVExTdjEuMSBUTFN2MS4yOy9nXCcgL3Vzci9sb2NhbC9wc2EvYWRtaW4vY29uZi90ZW1wbGF0ZXMvZGVmYXVsdC9zZXJ2e1smKiZdfWVyL25naW54Vmhvc3RzLnBocApcIjt7WyYqJl19{!{/code}!}
And reconfigure Apache:
{!{code}!}czo1NDpcIiMgL3Vzci9sb2NhbC9wc2EvYWRtaW4vYmluL2h0dHBkbW5nIC0tcmVjb25maWd1cmUtYWxsClwiO3tbJiomXX0={!{/code}!}
for all the sites in Plesk 10.4, 11.0.9 for Linux add to the Apache configuration file /etc/httpd/conf/httpd.conf the following string:
{!{code}!}czozMDpcIlNTTFByb3RvY29sIEFsbCAtU1NMdjIgLVNTTHYzClwiO3tbJiomXX0={!{/code}!}
and restart Apache:
{!{code}!}czoyNzpcIiMgL2V0Yy9pbml0LmQvaHR0cGQgcmVzdGFyClwiO3tbJiomXX0={!{/code}!}
Reference: Nginx documentation
Dovecot IMAP/POP3 server
Include the following line in /etc/dovecot/dovecot.conf
{!{code}!}czozMDpcInNzbF9wcm90b2NvbHMgPSAhU1NMdjIgIVNTTHYzClwiO3tbJiomXX0={!{/code}!}
Restart service:
{!{code}!}czoyOTpcInN1ZG8gc2VydmljZSBkb3ZlY290IHJlc3RhcnQKXCI7e1smKiZdfQ=={!{/code}!}
Courier IMAP
Edit the following files:
/etc/courier-imap/pop3d-ssl
/etc/courier-imap/imapd-ssl
Add the following string:
{!{code}!}czo3NTpcIlRMU19DSVBIRVJfTElTVD1cIkFMTDohU1NMdjI6IVNTTHYzOiFBREg6IU5VTEw6IUVYUE9SVDohREVTOiFMT1c6QFNUUkVOe1smKiZdfUdUSFwiClwiO3tbJiomXX0={!{/code}!}
Or just modify existing one and add !SSLv3 into cipher list.
Restart services:
{!{code}!}czo3MTpcIiBzdWRvIHNlcnZpY2UgY291cmllci1pbWFwcyByZXN0YXJ0IHN1ZG8gc2VydmljZSBjb3VyaWVyLXBvcDNzIHJlc3RhcnR7WyYqJl19ClwiO3tbJiomXX0={!{/code}!}
Postfix SMTP
For ‘opportunistic SSL’ (encryption policy not enforced and plain is acceptable too), you don’t need to change anything. Even SSLv2 is better than plain, so if you need to secure your server you should be using ‘mandatory SSL’ mode anyway.
For ‘mandatory SSL’ mode being configured already, just add/change the smtpd_tls_mandatory_protocols setting. Add the following string to the /etc/postfix/main.cf file:
{!{code}!}czo0NDpcInNtdHBkX3Rsc19tYW5kYXRvcnlfcHJvdG9jb2xzPSFTU0x2MiwhU1NMdjMKXCI7e1smKiZdfQ=={!{/code}!}
and restart Postfix:
{!{code}!}czoyOTpcInN1ZG8gc2VydmljZSBwb3N0Zml4IHJlc3RhcnQKXCI7e1smKiZdfQ=={!{/code}!}
You can verify if SSLv3 is disabled by using the following command:
{!{code}!}czo0NjpcIm9wZW5zc2wgc19jbGllbnQgLWNvbm5lY3QgbG9jYWxob3N0OjQ2NSAtc3NsMwpcIjt7WyYqJl19{!{/code}!}
If you are not vulnerable (SSLv3 disabled), your output should look something like this:
{!{code}!}czoyNDE6XCJDT05ORUNURUQoMDAwMDAwMDMpCjEzOTgwODYwNjEwNzQ2NDplcnJvcjoxNDA5NDQxMDpTU0wgcm91dGluZXM6U1NMM197WyYqJl19UkVBRF9CWVRFUzpzc2x2MyBhbGVydCBoYW5kc2hha2UgZmFpbHVyZTpzM19wa3QuYzoxMjU3OlNTTCBhbGVydCBudW1iZXIgNDAKMXtbJiomXX0zOTgwODYwNjEwNzQ2NDplcnJvcjoxNDA5RTBFNTpTU0wgcm91dGluZXM6U1NMM19XUklURV9CWVRFUzpzc2wgaGFuZHNoYWtlIGZhe1smKiZdfWlsdXJlOnMzX3BrdC5jOjU5NjoKXCI7e1smKiZdfQ=={!{/code}!}
If you are vulnerable, you should see normal connection output, including the line:
{!{code}!}czo2MDpcIkNPTk5FQ1RFRCgwMDAwMDAwMykKMjIwIG1haWwuZXhhbXBsZS5jb20gRVNNVFAgUG9zdGZpeApET05FClwiO3tbJiomXX0={!{/code}!}
Microsoft Internet Information Services
Official Microsoft knowledge base article about disabling particular protocol in IIS:
How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services
Microsoft Windows Server stores information about different security-enhanced channel protocols that Windows Server supports. This information is stored in the registry key.
-
Click Start, click Run, type
regedt32or typeregedit, and then click OK. -
In Registry Editor, locate the following registry key:
{!{code}!}czoxMDQ6XCJIS0VZX0xPQ0FMX01BQ0hJTkVcXFN5c3RlbVxcQ3VycmVudENvbnRyb2xTZXRcXENvbnRyb2xcXFNlY3VyaXR5UHJvdmlkZXJze1smKiZdfVxcU0NIQU5ORUxcXFByb3RvY29sc1xcU1NMIDMuMFxcU2VydmVyClwiO3tbJiomXX0={!{/code}!} -
On the Edit menu, click Add Value.
-
In the
Data Typelist, clickDWORD. -
In the
Value Name box, typeEnabled, and then click OK.Note: If this value is present, double-click the value to edit its current value.
-
Type
00000000in Binary Editor to set the value of the new key equal to “0”. - Click OK. Restart the computer.
As Plesk is using the same SSL engine, sw-cp-server service should be also configured to protect from SSL vulnerability.
Plesk 11.5 and later
Edit ‘/etc/sw-cp-server/config’, add
{!{code}!}czozODpcIiBzc2xfcHJvdG9jb2xzIFRMU3YxIFRMU3YxLjEgVExTdjEuMjsKXCI7e1smKiZdfQ=={!{/code}!}
Restart:
{!{code}!}czozNTpcIiBzdWRvIHNlcnZpY2Ugc3ctY3Atc2VydmVyIHJlc3RhcnQKXCI7e1smKiZdfQ=={!{/code}!}
Plesk 11.0
Edit /usr/local/psa/admin/conf/ssl-conf.sh, add the echo 'ssl.use-sslv3 = "disable"' after the echo 'ssl.use-sslv2 = "disable"' directive, so it should looks alike:
{!{code}!}czo5NzpcIiBlY2hvIFwnc3NsLmVuZ2luZSA9IFwiZW5hYmxlXCJcJyBlY2hvIFwnc3NsLnVzZS1zc2x2MiA9IFwiZGlzYWJsZVwiXCdgIGVjaG8gXCd7WyYqJl19c3NsLnVzZS1zc2x2MyA9IFwiZGlzYWJsZVwiXCcKXCI7e1smKiZdfQ=={!{/code}!}
Restart:
{!{code}!}czozNTpcIiBzdWRvIHNlcnZpY2Ugc3ctY3Atc2VydmVyIHJlc3RhcnQKXCI7e1smKiZdfQ=={!{/code}!}
97% of SSL web servers are likely to be vulnerable to POODLE, a vulnerability that can be exploited in version 3 of the SSL protocol. POODLE, in common with BEAST, allows a man-in-the-middle attacker to extract secrets from SSL sessions by forcing the victim’s browser into making many thousands of similar requests. As a result […]
[Security] [HUB] POODLE attack exploiting SSL 3.0 fallback
Oct15
on October 15, 2014
at 4:47 am
Posted In: Uncategorized
Information
A CVE-2014-3566 vulnerability in SSLv3 protocol was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.
You can check if your website is vulnerable with curl:
{!{code}!}czo0MTpcImN1cmwgLXYzIC1YIEhFQUQgaHR0cHM6Ly93d3cuZXhhbXBsZS5jb20KXCI7e1smKiZdfQ=={!{/code}!}
If you are NOT vulnerable, your output should look something like this:
{!{code}!}czoyOTpcImN1cmw6ICgzNSkgU1NMIGNvbm5lY3QgZXJyb3IKXCI7e1smKiZdfQ=={!{/code}!}
If you ARE vulnerable, you will see normal connection outputs, potentially including the line:
{!{code}!}czoyOTpcIlNTTCAzLjAgY29ubmVjdGlvbiB1c2luZyAuLi4KXCI7e1smKiZdfQ=={!{/code}!}
Resolution
Although the possibility to exploit this vulnerability is quite low, the simplest way is to disable SSL 3.0 – this obsoleted protocol version is being used for compatibility needs and is not required for Parallels products.
For specific Parallels products, here is the list of articles which you may refer to:
Oracle Critical Patch Update Advisory – October 2014
Oct14
on October 14, 2014
at 7:30 pm
Posted In: Uncategorized
Ubuntu: 2378-1: Linux kernel (Trusty HWE) vulnerabilities
Oct14
on October 14, 2014
at 11:27 am
Posted In: Uncategorized
(Oct 9) Several security issues were fixed in the kernel.
(Oct 5) Security Report Summary
(Oct 4) Security Report Summary
Red Hat: 2014:1352-01: libvirt: Moderate Advisory
Oct14
on October 14, 2014
at 10:05 am
Posted In: Uncategorized
(Oct 1) Updated libvirt packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More…]
Red Hat: 2014:1359-01: polkit-qt: Important Advisory
Oct14
on October 14, 2014
at 10:05 am
Posted In: Uncategorized
(Oct 6) Updated polkit-qt packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security [More…]
cPanel Security Team: Bash CVE-2014-6217 and CVE-2014-7169
Oct14
on October 14, 2014
at 3:08 am
Posted In: Uncategorized
Bash CVE-2014-6217 and CVE-2014-7169 CVE-2014-6217 is a critical vulnerability in all versions of GNU Bash, the Bourne Again Shell.This vulnerability allows an attacker to execute arbitrary shell commands any time a Bash shell executes with environmental variables supplied by the attacker. On cPanel & WHM systems, there are numerous entry …
cPanel & WHM software version 11.40 will reach End of Life at the end of October 2014. In accordance with our EOL policy [http://go.cpanel.net/longtermsupport], 11.40 will continue functioning on servers after reaching EOL. However, no further updates, such as security fixes and installations, will be provided for 11.40 once it …
MySQL :: MySQL Enterprise Monitor 2.3.18 :: H.14 Changes in MySQL Enterprise Monitor 2.3.5 (2011-07-01)
Oct14
on October 14, 2014
at 3:08 am
Posted In: Uncategorized
You can subscribe to RSS or Atom feeds, linked from
(Oct 9) Several security issues were fixed in Bash.
Ubuntu: 2381-1: Rsyslog vulnerabilities
Oct13
on October 13, 2014
at 11:17 am
Posted In: Uncategorized
(Oct 9) Rsyslog could be made to crash if it received specially crafted input.