On Monday 18th May 2020, cPanel’s security team released a patch to mitigate against a number of different vulnerabilities, assigned security levels (CVSSv3 scores) ranging from 3.0 (low severity) to 9.9 (critical). Further information was released on 19th May detailing a concerning Exim RCE (remote code execution) vulnerability.
cPanel are referring to the Exim RCE vulnerability, assigned a CVSSv3 of 9.9, as SEC-485. It is caused by the default cPanel/WHM Exim configuration. cPanel has said that it does “not adequately protect against path traversal attacks”.
RCE allows remote attackers to execute code on the server of other accounts. Let’s break down the CVSSv3 scores below.
The following CVSSv3 scores are assigned to the Exim RCE vulnerability.
AV:N – The Attack Vector. The score N tells us that this particular vulnerability can be executed remotely over the network.
AC:N – The Attack Complexity. This has been noted as low, meaning that the attack doesn’t require specific conditions.
PR:L – The Privileges Required for a successful attack. This lets us know the level of access the attacker would need to exploit this vulnerability and has been marked as L (low), which means an authenticated user is required to exploit this vulnerability. cPanel do however note that “abuse of this flaw by unauthenticated attackers was possible under some circumstances.”
UI:N – This score tell us that User Interaction is not required for a vulnerable system to be exploited.
S:C – The Scope. ‘C’ tells us that his exploit can affect resources outside of the security authority of the vulnerable component. This means that other parts of the system, as opposed to just Exim, can be affected.
C:H – Linked to Confidentiality. This is a major indicator of the information access that an attacker can gain. The scale goes from none (N) to low (L) to high (H). In this case, high has been chosen – high being described as a total loss of data confidentiality.
I:H – Like confidentiality, data Integrity runs on the same scale. A successful RCE attack causes a total loss of integrity or a complete loss of protection on the server.
A:H – The availability of server and its data. Because this attack allows remote code execution of other accounts on the server, it does mean that the availability of websites, mail or any of your applications on your server could stop.
The Exim RCE vulnerability has been patched in the following builds of WHM/cPanel:
To check your version of cPanel, log into WHM. At the top of the screen, you will be able to see the build you’re currently running. If it is not equal or above the build numbers noted here, you may be vulnerable to this attack.
While the impact of an Exim RCE attack is significant, the mitigation steps are simple.
WHM Web Interface: You can update to the latest version by going logging into your WHM panel and going to Home >> cPanel >> Upgrade to Latest Version. Recheck the build number at the top to ensure sure you’re on a patched build.
Command Line: You can update cPanel by running the command /scripts/upcp
You can verify the version by running /usr/local/cpanel/cpanel -V
We’ve released a number of blog posts pertaining to vulnerabilities in various system packages, though the simplest way to keep cPanel up to date is to set up automatic updates.
You can do this by logging into WHM >> Update Preferences >> Daily Updates. Here you can set the automatic updates to apply automatically.
The UKFast team is more than happy to help answer any questions you may have about your security or carrying out the above updates. Please don’t hesitate to contact the UKFast support team on 0800 923 0605.