PHP-FPM/Nginx Vulnerability – CVE-2019-11043

Reading Time: 3 minutes

A new vulnerability in PHP-FPM has been noted which could lead to remote code execution on nginx. An earlier message on Twitter exposed the CVE-2019-11043 bug:

Continue reading “PHP-FPM/Nginx Vulnerability – CVE-2019-11043”

WordPress Exploit – AMP Plugin

Reading Time: 2 minutesAMP for WP -Accelerated Mobile Pages allows your site to be faster for mobile visitors. Along with last week’s report, the AMP plugin has also been added to the list exploited. The AMP for WP plugin was reported on October 20, 2018, by its developers. Luckily, the newest version, 0.9.97.20, of this plugin has patched for their known security flaws. This exploit has the means of putting 100,000+ users at potential risk, so its best to check if you are utilizing this plugin. In this tutorial, we will be checking if you use this plugin. Along with updating, we will also show you how to check if your site for compromises. Continue reading “WordPress Exploit – AMP Plugin”

Protecting against CVE-2018-14634 (Mutagen Astronomy)

Reading Time: 2 minutesThere is a new exploit, rated as 7.8 severity level,  that affects major Linux distributions of RedHat Enterprise Linux, Debian 8 and CentOS named Mutagen Astronomy. Mutagen Astronomy exploits an integer overflow vulnerability in the Linux kernel and supplies root access (admin privileges) to unauthorized users on the intended server. This exploit affects Linux kernel version dating back from July 2007 to July 2017.  Living in the kernel, the memory table can be manipulated to overflow using the create_tables_elf() function. After overwhelming the server, the hacker can then overtake the server with its malicious intents. Continue reading “Protecting against CVE-2018-14634 (Mutagen Astronomy)”

Protecting Against CVE-2016-3714 (ImageMagick)

Reading Time: < 1 minute

Overview

A security vulnerability has been discovered in the ImageMagick software suite that can potentially allow remote code execution.

Impact

All versions of ImageMagick are affected. An updated version has been committed and should be rolling out to repositories in the near future. Until a patch is available for all systems, Liquid Web is taking steps to block the offending payloads. Additionally, a direct modification to ImageMagick’s policy file can reduce the risk of an exploit due to the vulnerability.

Resolution

A full resolution is not possible until a patch is released and applied. While that is anticipated to be available soon, in the interim, policies specifically blocking known exploits can be added directly to ImageMagick’s policy file, policy.xml. The file will be located in one of two possible directories, depending on how the software was installed:

  • /etc/ImageMagick/policy.xml
  • /usr/local/etc/ImageMagick-6/policy.xml

Once located, open policy.xml in your preferred text editor and add the following nine lines to the bottom of the file to help minimize the risks of exploit:

<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="SHOW" />
<policy domain="coder" rights="none" pattern="WIN" />
<policy domain="coder" rights="none" pattern="PLT" />
<policy domain="path" rights="none" pattern="@*" />

Note: This post has been updated to reflect policies for four additional coders identified as potentially vulnerable, and one that prevents indirect reads entirely. ImageMagick still should be upgraded when the latest release is made available even if the policy file has been manually edited.

Managed customers who need help editing the policy file may contact Heroic Support® for assistance.
 

How To Protect Your cPanel Server Against CVE-2016-1531

Reading Time: < 1 minute

Overview

On March 2, Exim announced via its mailing list that it had discovered a vulnerability in all versions of its mail transport agent. Exim is the default MTA on cPanel servers. The latest version patches the vulnerability, and the latest cPanel update resolves the issue.

Impact

Exim says that all installations of its MTA were vulnerable to a condition in which an attacker with any level of privileges on the server could gain root privileges. The versions of cPanel & WHM listed below are protected against the attack on Exim. Any version prior to the current versions listed below are vulnerable:

  • 11.50.5.0
  • 11.52.4.0
  • 54.0.18
  • 55.9999.106 (EDGE tier only)

Is Exim Vulnerable on Your Server?

If your cPanel server has automatic updates enabled, then the patch will already have been applied.

You can confirm that your server is protected simply by logging into WHM and checking the version listed at the top of the screen, as shown in the image below:

Check WHM version

Note: the “build” listed after the version represents the final digits in the release version. In the example above, WHM 54.0 (build 18) indicates that the version is 54.0.18.

Resolution

If you are not already on the latest version of cPanel, follow these instructions to enable automatic updates. Once you click the Save button to change your settings, you will have the option to update the server to the latest version immediately by clicking the link in the confirmation message as shown below:

UpdateNow

 

Is Your cPanel Server Protected Against CVE-2016-0800 (DROWN)?

Reading Time: 2 minutes

Overview

A new flaw has been found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could theoretically exploit this vulnerability to bypass RSA encryption, even when connecting via a newer protocol version, if the server also supports the older SSLv2 standard.

Continue reading “Is Your cPanel Server Protected Against CVE-2016-0800 (DROWN)?”

cPanel TSR-2016-0001

Reading Time: 2 minutes

Overview

On January 18, 2016, cPanel announced that it had discovered vulnerabilities affecting all current versions of its control panel software. At the time of the announcement, cPanel issued a Targeted Security Release for each software tier, which the company said addresses 20 vulnerabilities in cPanel and WHM.

Because the issues were discovered internally by cPanel, and cPanel does not believe that there are any exploits of the vulnerabilities in the wild, they are not yet releasing any additional information on the exact nature of the issues. The company will allow sufficient time for potentially vulnerable servers to be updated before providing additional information.

Impact

    • All servers running a version of cPanel/WHM lower than the versions indicated below are affected. All servers running a version of cPanel/WHM equal to or greater than those below are not affected:
      • 54.0.4 (WHM 54.0 build 4) on the CURRENT and EDGE Tiers
      • 11.52.2.4 (WHM 11.52.2 build 4) on the STABLE and RELEASE Tiers
      • 11.50.4.3 (WHM 11.50.4 build 3) and 11.48.5.2 (WHM 11.48.5 build 2) on the Long-Term Support (LTS) Tiers
    • There are no known “in the wild” exploits of the cPanel vulnerabilities at this time.
    • cPanel’s regular update process automatically will download and apply the appropriate new software version for your chosen tier, addressing all known vulnerabilities.

Summary

If your cPanel server is configured to automatically check for updates, no action is required on your part, and the patch automatically will be applied at the server’s next check. If you have disabled automatic updates, you can follow the instructions in our tutorial, How To Upgrade and Patch cPanel to manually update cPanel. If you require any assistance, please contact Heroic Support®.

Is Your Server Affected?

To determine whether your cPanel server already has had the patch applied, you need only to log into WebHost Manager and check the version number, which is located at the top-center of every page in WHM:

cPanelWHMVersion

In this example, on a server set to the CURRENT release tier, you can see that the cPanel/WHM version is 54.0.4 (54.0 build 4), and thus is not vulnerable. If you are on a different release tier (LTS, STABLE, RELEASE, or EDGE), you will need to check your version against the list above.

Note: cPanel dropped the “11” from its cPanel/WHM version number beginning with 54 (which would have been 11.54). You still may see the current version referred to as both “54” and “11.54” in different places in the cPanel/WHM interface as the change in version numbering populates throughout the user interface.

Resolution

The latest version of cPanel, 54.0.4 (54.0 build 4), is patched against the vulnerability. An upgrade to the current release version of cPanel/WHM will address the vulnerabilities and resolve the issues discovered by cPanel.

To upgrade, follow the instructions in our tutorial, How To Upgrade and Patch cPanel. If you require any assistance in verifying your current version or manually updating cPanel, please contact Heroic Support®.

To check or change your current cPanel release tier, or ensure that automatic updates are enabled, click on “Update Preferences” in WHM’s left menu:

UpdatePreferences

After changing any settings, click the “Save” button at the bottom of the page to apply them.

 

 

Protecting Against CVE-2016-0777 and CVE-2016-0778

Reading Time: 2 minutes

Overview

A flaw in OpenSSH, discovered and reported by Qualys on Jan. 14, 2016, could potentially allow an information leak (CVE-2016-0777) or buffer overflow (CVE-2016-0778) via the OpenSSH client. Specifically, an undocumented feature called roaming, introduced in OpenSSH version 5.4, can be exploited to expose a client’s private SSH key.

Continue reading “Protecting Against CVE-2016-0777 and CVE-2016-0778”