ISPConfig News

ISPConfig 3.1.9 Released – Important security update

ISPConfig can be install into Contact us to find out our latest offers!

What’s new in ISPConfig 3.1.9

This release contains an important security fix for an authenticated local root vulnerability in the ISPConfig website cron system, the vulnerability has the CVE number CVE-2017-17384 assigned and has been reported to us by Chris Kessler. The update should be installed immediately. All ISPConfig 3 versions before 3.1.9 are affected.

An attacker requires either the correct ISPConfig admin password or a remote user (valid username and password) which has the permissions to create cronjobs or a client login with permission to create cronjobs.

We received reports that the net is currently scanned for ISPConfig installations with weak admin passwords, especially for systems with password ‘admin’. Ensure that your system uses a strong admin user password to protect your server!

The ISPConfig 3.1.9 release scans your system for potentially malicious cronjobs and will report them during update.

In case that you can not install the update right now, then a possible temporary attack prevention is to disable the cron plugin by removing the symlink like this:

rm -f /usr/local/ispconfig/server/plugins-enabled/cron_plugin.inc.php

It is not possible to create cronjobs from within ISPConfig after you deleted that symlink (cronjobs will show up in ISPConfig UI in that case but will not get added to the Linux cron.d directory). The symlink in plugins-enabled folder to the cron plugin in the plugins-available folder has to be added again to get the cron functionality back.

If you like to scan your system for potentially malicious cronjobs on the shell, use this command (copy / paste it on the shell as root user to execute it):

IFS=$'n' ;
for F in $(find /etc/cron.d -type f -name "ispc_*") ; do
 USR=${F:17} ;
 if [[ "$USR" = "chrooted_"* ]] ; then
  USR=${USR:9} ;
 fi ;
 USR=${USR%.*} ;
 echo "Checking cron file $F for user $USR";
 for L in $(awk '{print $6}' "$F") ; do
  if [[ "$USR" != "$L" ]] ; then
   echo "WARNING: $F contains cron job for user $L" ;
  fi ;
 done ;
done

The 3.1.9 release contains some other minor bugfixes beside the security fix, please see release notes for details.

Download

The software can be downloaded here:

http://www.ispconfig.org/downloads/ISPConfig-3.1.9.tar.gz

Changelog

https://git.ispconfig.org/ispconfig/ispconfig3/issues?assignee_id=&author_id=&label_name=&milestone_title=3.1.9&scope=all&sort=id_desc&state=closed

Known Issues

Please take a look at the bug tracker:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

BUG Reporting

Please report bugs to the ISPConfig bug tracking system:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

Supported Linux Distributions

– Debian Etch (4.0) – Stretch (9.0) and Debian testing
– Ubuntu 7.10 – 17.10
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 7
– Fedora 9 – 15

Installation

The installation instructions for ISPConfig can be found here:

http://www.ispconfig.org/ispconfig-3/documentation/

Update

To update existing ISPConfig 3 installations, run these commands in the shell:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3.1.9.tar.gz
tar xvfz ISPConfig-3.1.9.tar.gz
cd ispconfig3_install/install
php -q update.php
ISPConfig can be install into Contact us to find out our latest offers!

Comments are closed.

>
%d bloggers like this: