Web hosting software maker cPanel emailed users on Thursday about the cPanel and WHM security updates it released earlier this week, providing more detail behind the five specific security vulnerabilities the new builds address.
According to the email sent to cPanel users, the majority of the vulnerabilities detected by members of the development and quality assurance teams at cPanel were around several Perl modules on cPanel and WHM versions 11.30, 11.32 and 11.34.
On Tuesday, cPanel told users to expect an update in the coming days.
“There is no reason to believe that these vulnerabilities are known to the public. As such, cPanel will only release limited information regarding the vulnerabilities,” cPanel wrote in an email.
cPanel says the Perl Storable module is used for caching data to disk and transferring data between processes, and in many areas this communication crosses privilege separation boundaries.
“A local malicious user could use this behavior to inject code into serialized data structures, thus allowing for code execution and possibility of privilege escalation,” cPanel says.
The Perl YAML::Syck module provides similar functionality to the Storable module, according to cPanel, and could be used to perform “unsafe actions in object destructors.”
The Crypt::Passwd::XS Perl module, which performs password hashing, suffers from a vulnerability “where the passwords with the 0x80 character are truncated when hashed using the DES crypt algorithm. cPanel & WHM systems are configured by default to use the stronger MD5 and SHA512 crypt password hashing algorithms.”
Finally, an authenticated attacker could use the cPanel::Locale formatting functionality to execute arbitrary shell commands on the local system bypassing normal restrictions on local code execution, cPanel says.
The updates to each version will be performed automatically unless the user has the automatic updates disabled.
Talk back: Did you automatically update your cPanel or WHM control panel? What do you think of the cPanel security updates? Let us know in a comment.