(Dec 6) Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More…]
Comment
(Dec 7) Updated mysql packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More…]
Case 62230
Dec07
Case 62230
Summary
Shell code injection via translatable phrases in Cpanel::Locale
Security Rating
cPanel has assigned a Security Level of “Important” to this vulnerability.
Description
The Cpanel::Locale module wraps around Perl’s Locale::Maketext module and extends it to provide additional Maketext tags and functionality. Locale::Maketext is used to render translatable phrases into a user’s chosen locale. cPanel & WHM uses this module to display all translatable phrases in the cPanel, WHM and Webmail interfaces.
The version of Cpanel::Locale used in previous releases of cPanel & WHM included two date formatting functions that passed unsanitized userinput to a subprocess shell. An authenticated attacker could use this functionality to execute arbitrary shell commands on the local system bypassing normal restrictions on local code execution.
This vulnerability was discovered by the cPanel Quality Assurance Team.
Solution
This issue is resolved in the following builds:
* 11.34.0.10 and greater
* 11.32.5.14 and greater
* 11.30.7.3 and greater
Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.
Important: New Information about cPanel & WHM 11.30, 11.32, and 11.34 Updates Now Available
Summary:
cPanel & WHM 11.30.7.4; 11.32.5.15; 11.34.0.11, which fixes multiple security issues, is now available for download.
cPanel has rated these updates as having important security impact. Information on security ratings is available at http://go.cpanel.net/securitylevels.
Description:
The Perl Storable module provides support for serialization and deserialization of Perl data structures. In cPanel & WHM this functionality is used for caching data to disk and transferring data between processes. In many areas this caching and interprocess communication crosses privilege separation boundaries. A local malicious user could use this behavior to inject code into serialized data structures, thus allowing for code execution and possibility of privilege escalation.
The Perl YAML::Syck module provides similar functionality as the Storable module. The version of YAML::Syck used in previous releases of cPanel & WHM allowed serialized data to be blessed into arbitrary packages as it was deserialized. This could be leveraged to perform unsafe actions in object destructors.
The version of Locale::Maketext used in previous releases of cPanel & WHM suffered from two flaws in the _compile() function which allowed authenticated users to execute arbitrary code by supplying specially crafted translatable phrases.
cPanel & WHM relies on the Crypt::Passwd::XS Perl module to perform password hashing. This module suffers from the same vulnerability disclosed in CVE-2012-2143 where passwords with the 0×80 character are truncated when hashed using the DES crypt algorithm. cPanel & WHM systems are configured by default to use the stronger MD5 and SHA512 crypt password hashing algorithms.
The version of Cpanel::Locale used in previous releases of cPanel & WHM included two date formatting functions that passed unsanitized user input to a subprocess shell. An authenticated attacker could use this functionality to execute arbitrary shell commands on the local system bypassing normal restrictions on local code execution.
These issues were discovered by various members of the Development and Quality Assurance teams at cPanel.
Solution:
We recommend updating your cPanel & WHM system as follows;
Update cPanel & WHM 11.30 to 11.30.7.3 or newer.
Update cPanel & WHM 11.32 to 11.32.5.14 or newer.
Update cPanel & WHM 11.34 to 11.34.0.10 or newer.
To check which version of cPanel you have, go to http://docs.cpanel.net/twiki/bin/view/AllDocumentation/MyVersion
A full listing of published versions can always be found at http://httpupdate.cpanel.net/.
References:
Case 59926 Multiple privilege escalation vulnerabilities due to the use of Storable for serialization http://cpanel.net/case-59926/
Case 60203 Password hashes truncated by 0×80 characters
http://cpanel.net/case-60203/
Case 60970 Privilege escalation vulnerabilities due to the use of YAML::Syck for serialization
http://cpanel.net/case-60970/
Case 61251 Arbitrary code execution via translatable phrases due to the use of Locale::Maketext
http://cpanel.net/case-61251/
Case 62230 Shell code injection via translatable phrases in Cpanel::Locale http://cpanel.net/case-62230/
The following new functionality has been added:
[+] (Windows only) SmarterStats 7 support has been added.
The following bug has been fixed:
[-] (Windows only) open_basedir still operates after switching to ‘none’ (100496, 100497)
[-] If email has several recipients and one of them has full mailbox then email will not be delivered to anyone. Now the email is delivered to all recipients whose mailboxes quota is not exceeded, even if one of the recipients mailbox is full (92530)