HOW CAN WE HELP YOU TODAY?

1
Knowledgebase: Announcements
Critical Exim Vulnerability
Posted by Melvin B on 03 March 2016 02:06 PM

Important Note

This post is specifically for our VPS and Dedicated Hosting clients using cPanel on their servers. We request you to verify the details provided below and update your servers.

In case you have any concerns, feel free to get in touch with our Support Team. We will be more than happy to guide you.

 

Background Information

On Wednesday, March 2, 2016, Exim announced a vulnerability in all versions of the Exim software.

 

Impact

According to Exim development: "All installations having Exim set-uid root and using 'perl_startup' are vulnerable to a local privilege escalation. Any user who can start an instance of Exim (this is normally *any* user) can gain root privileges."

 

Releases

The following versions of cPanel & WHM were patched to have the correct version of Exim. All previous versions of cPanel & WHM, including 11.48.x and below, are vulnerable to a set-uid attack on Exim.

11.50   11.50.5.0

11.52   11.52.4.0

11.54   11.54.0.18

EDGE    11.55.9999.106

CURRENT 11.54.0.18

RELEASE 11.54.0.18

STABLE  11.54.0.18

 

How to determine if your server is up to date

The updated RPMs provided by cPanel will contain a changelog entry with the CVE number. You can check for this changelog entry with the following command:

rpm -q --changelog exim | grep CVE-2016-1531

The output should resemble below:

- - Fixes CVE-2016-1531

 

What to do if you are not up to date

If your server is not running one of the above versions, update immediately.

You can upgrade your server by navigating to WHM Home > cPanel > Upgrade to Latest Version and clicking "Click to Upgrade" (https://documentation.cpanel.net/display/ALD/Update+Preferences)

Alternatively, you can run the below commands to upgrade your server from the command line:

/scripts/upcp

/usr/bin/perl /scripts/check_cpanel_rpms --fix --long-list

Verify the new Exim RPM was installed:

rpm -q --changelog exim | grep CVE-2016-1531

The output should resemble below:

- - Fixes CVE-2016-1531

 

What has changed

Exim now provides two configuration options which limit what environment variables are available to Exim and all of its child processes. The variables are keep_environment and add_environment. For the initial release with this feature, cPanel will be setting the variables as follows in all supported cPanel & WHM systems. These values can be modified in the Advanced Configuration Editor if necessary, though we advise caution on adding too many variables to keep_environment.

/etc/exim.conf

keep_environment = X-SOURCE : X-SOURCE-ARGS : X-SOURCE-DIR

add_environment = PATH=/usr/local/sbin::/usr/local/bin::/sbin::/bin::/usr/sbin::/usr/bin::/sbin::/bin

 

Additional Information

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1531

Initial Public Disclosure: https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html

Documentation: https://documentatio...-2016-1531 Exim