cPanel provided more details about the cPanel security updates it released earlier this week

cPanel Security Updates Address Perl Module Vulnerabilities

1 comment

Web hosting software maker cPanel emailed users on Thursday about the cPanel and WHM security updates it released earlier this week, providing more detail behind the five specific security vulnerabilities the new builds address.

According to the email sent to cPanel users, the majority of the vulnerabilities detected by members of the development and quality assurance teams at cPanel were around several Perl modules on cPanel and WHM versions 11.30, 11.32 and 11.34.

On Tuesday, cPanel told users to expect an update in the coming days.

“There is no reason to believe that these vulnerabilities are known to the public. As such, cPanel will only release limited information regarding the vulnerabilities,” cPanel wrote in an email.

This cPanel security update comes a month after cPanel and WHM 11.34 reached the stable tier of the release schedule.

cPanel says the Perl Storable module is used for caching data to disk and transferring data between processes, and in many areas this communication crosses privilege separation boundaries.

“A local malicious user could use this behavior to inject code into serialized data structures, thus allowing for code execution and possibility of privilege escalation,” cPanel says.

The Perl YAML::Syck module provides similar functionality to the Storable module, according to cPanel, and could be used to perform “unsafe actions in object destructors.”

The Crypt::Passwd::XS Perl module, which performs password hashing, suffers from a vulnerability “where the passwords with the 0x80 character are truncated when hashed using the DES crypt algorithm. cPanel & WHM systems are configured by default to use the stronger MD5 and SHA512 crypt password hashing algorithms.”

Finally, an authenticated attacker could use the cPanel::Locale formatting functionality to execute arbitrary shell commands on the local system bypassing normal restrictions on local code execution, cPanel says.

The full details of each cPanel security vulnerability have been posted on the cPanel website.

The updates to each version will be performed automatically unless the user has the automatic updates disabled.

The WHIR took a look at the new features of cPanel and WHM 11.34 back in November, assessing some of the new functions including several new hosting control panel features. 

Talk back: Did you automatically update your cPanel or WHM control panel? What do you think of the cPanel security updates? Let us know in a comment.


Add Your Comments

  • (will not be published)

One Comment

  1. I updated our servers as soon as I got a email, and saw a tweet from WebhostingTalk. It's important to keep the servers secure as possible to keep our customers safe.