cPanel Exploit Vulnerability - 20230510003

Overview

The WA SOC has observed a vulnerability in cPanel that could allow a malicious actor to perform remote code execution against any user(s) who are served, and click, a malicious link from one of these vulnerable systems.

What is the vulnerability?

• CVE-2023-29489 - Beef up filter checking for invalid webmail forwarders - CVSS v3 Base Score: 5.3

• CVE-2023-29489 - Escape HTML message in cpsrvd's error page - CVSS v3 Base Score: 6.1

What is vulnerable?

The vulnerability affects the following products:

• All cPanel builds prior to - 11.102.0.31
• cPanel builds - 11.102.0.32 - 11.106.0.17
• cPanel builds - 11.102.0.19 - 11.108.0.12
• cPanel builds - 11.108.0.14 - 11.109.9999.115

Recommendation

The WA SOC recommends administrators upgrade to any of the following versions or later:

• Build 11.109.9999.116

• Build 11.108.0.13

• Build 11.106.0.18

• Build 11.102.0.31

• Beef up filter checking for invalid webmail forwarders:

• Putting back-slashes before and after forbidden webmail forwarder words (such as include) will allow it to go through. It is recommended to improve any filters to catch this.

• Escape HTML message in cpsrvd's error page:

• An invalid webcall ID can contain cross-site scripting content and needs to be escaped when displayed on the error page for cpsrvd. By escaping the HTML message in the error page we can prevent cross-site scripting from this source as well as any other source that makes it onto the error page.

Additional References

• https://www.cyber.gov.au/about-us/alerts/widespread-exposure-vulnerability-cPanel
• https://forums.cpanel.net/threads/cpanel-tsr-2023-0001-full-disclosure.708949/
• https://blog.assetnote.io/2023/04/26/xss-million-websites-cpanel/
• https://nvd.nist.gov/vuln/detail/CVE-2023-29489