Mar 032016
 

From the cPanel Security Team: exim CVE-2016-1531

Background Information: On Wednesday, March 2, 2016, Exim announced a vulnerability in all versions of the Exim software.

Impact: According to Exim development: “All installations having Exim set-uid root and using ‘perl_startup’ are vulnerable to a local privilege escalation. Any user who can start an instance of Exim (this is normally *any* user) can gain root privileges.”

Releases: The following versions of cPanel & WHM were patched to have the correct version of Exim. All previous versions of cPanel & WHM, including 11.48.x and below, are vulnerable to a set-uid attack on Exim.

  • 11.50 11.50.5.0
  • 11.52 11.52.4.0
  • 11.54 11.54.0.18
  • EDGE 11.55.9999.106
  • CURRENT 11.54.0.18
  • RELEASE 11.54.0.18
  • STABLE 11.54.0.18
  • How to determine if your server is up to date: The updated RPMs provided by cPanel will contain a changelog entry with the CVE number. You can check for this changelog entry with the following command:

    rpm -q --changelog exim | grep CVE-2016-1531

    The output should resemble below:

    - - Fixes CVE-2016-1531

    What to do if you are not up to date: If your server is not running one of the above versions, you will need to update immediately. You can upgrade your server by navigating to WHM Home > cPanel > Upgrade to Latest Version and clicking “Click to Upgrade” (https://documentation.cpanel.net/display/ALD/Update+Preferences)

    Alternatively, you can run the below commands to upgrade your server from the command line:

    /scripts/upcp
    /usr/bin/perl /scripts/check_cpanel_rpms --fix --long-list

    Verify the new Exim RPM was installed:

    rpm -q --changelog exim | grep CVE-2016-1531

    The output should resemble below:

    - - Fixes CVE-2016-1531

    What has changed: Exim now provides two configuration options which limit what environment variables are available to Exim and all of its child processes. The variables are keep_environment and add_environment. For the initial release with this feature, cPanel will be setting the variables as follows in all supported cPanel & WHM systems. These values can be modified in the Advanced Configuration Editor if necessary, though we advise caution on adding too many variables to keep_environment.

    /etc/exim.conf
    keep_environment = X-SOURCE : X-SOURCE-ARGS : X-SOURCE-DIR
    add_environment = PATH=/usr/local/sbin::/usr/local/bin::/sbin::/bin::/usr/sbin::/usr/bin::/sbin::/bin

    Additional Information:

    CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1531
    Initial Public Disclosure: https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html
    Documentation: https://documentation.cpanel.net/display/CKB/CVE-2016-1531+Exim

    Share This!
     Posted by at 6:33 am