cPanel - Reset Root SSH Key Vulnerability - Knowledgebase

Portal Home > Knowledgebase > Articles Database > cPanel - Reset Root SSH Key Vulnerability

cPanel - Reset Root SSH Key Vulnerability

Posted by Patrick, 05-13-2013, 12:26 PM
Product Description: cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators. Vulnerability Description: WHM fails to restrict access to the Root SSH Key manager and allows a malicious user to generate a new key under /root/.ssh/ and overwrite an existing key if the file name is known or if .id_dsa is used by default. Proof of Concept: Due to the severity of this vulnerability, we will be releasing a POC after ample time has passed to allow affected users time to update. Impact: We have deemed this vulnerability to be rated as MEDIUM due to the fact that private keys under /root/.ssh/ can be overwritten. Right now it is not possible to use a private key generated by this exploit to gain access. Vulnerable Version: This vulnerability was tested against cPanel (WHM) v11.36.1.5. Fixed Version: This vulnerability was patched in version 11.38.0.7 or possibly a few builds earlier, we're not sure since cPanel stopped communicating with us regarding the matter and decided to silently fix. All users are urged to upgrade as soon as possible. Vendor Contact Timeline: 2013-05-04: Vendor contacted via email. 2013-05-06: Vendor confirms vulnerability. 2013-05-10: Vendor issues v11.38.0.7 update. 2013-05-13: Rack911 issues security advisory.
Posted by Mohammed H, 05-13-2013, 12:43 PM
thanks for notification. Last edited by Mohammed H; 05-13-2013 at 12:54 PM. Reason: typo
Posted by bune, 05-13-2013, 04:49 PM
Thats a wonderful news if cpanel has fixed it in its newer version could save some time from manual fixes
Posted by CodyRo, 05-13-2013, 05:41 PM
I'd recommend making id_rsa / id_dsa / authorized_keys and chattr +i them in /root for the time being. That *should* temporarily mitigate this issue. Also if you don't already take a peak at pam_access and restrict your root logins. Last edited by CodyRo; 05-13-2013 at 05:47 PM.
Posted by Eased, 05-13-2013, 07:51 PM
Official email from cPanel has been sent out.
Posted by Patrick, 05-13-2013, 08:09 PM
Ah. Interesting. Credit should have been given to Rack911... one has to wonder if they issued that email because of this post. (We have previously reported flaws to cPanel that were silently fixed but we now have taken a more proactive approach in reporting flaws to the masses.)

Add to Favourites Print this Article