In a post on the cPanel Blog last night we shared information regarding an exploit that had been identified in Exim. This exploit allows attackers to execute code as the root user on your server without authentication and was rated a 9.8 out of 10 in severity.
While Version 80 was never vulnerable to this exploit, and we released a patch for Version 78 last night, the recently End of Life Version 70 and Version 76 remained vulnerable. More details were released today, including details on exactly how to gain root access to a remote server.
It’s possible that the update will be blocked with an error similar to this:
A system upgrade was not possible due to the following blockers:
[2019-06-07 02:02:51 +0200] W [FATAL] - You must migrate from EA3 to EA4 before upgrading to v78 or newer. You can do so by running /usr/local/cpanel/scripts/migrate_ea3_to_ea4 or via WHM’s EasyApache 4 Migration interface. For more information please see: https://go.cpanel.net/EA4Migration
If you encounter this error, you must manually adjust your /etc/cpupdate.conf file to the example below:
CPANEL=11.76 RPMUP=daily SARULESUP=daily STAGING_DIR=/usr/local/cpanel UPDATES=daily
Once you have completed this update (upcp) please set this back to the following:
CPANEL=release RPMUP=daily SARULESUP=daily STAGING_DIR=/usr/local/cpanel UPDATES=daily
This will allow you to upgrade to newer versions of cPanel & WHM once you have migrated to EasyApache 4.
While Exim is open source software that we bundle with our software and is not built by cPanel, this vulnerability is something that we feel deserves our attention. This is an extremely rare and specific situation that has the potential to impact everyone who interacts with the internet in any way. For that reason, we have released an update to patch this vulnerability for both Version 70 and Version 76.
To ensure that your server has received the patch, please update to one of the following versions:
cPanel & WHM Versions 70 and 76 remain End of Life and will receive no other updates. This is a one-time bending of our policy, and we do not plan to pursue any other updates for these versions. We still strongly recommend that you keep your servers updated, and continue to run the most recent versions of cPanel & WHM available.
If you need help with any of this, don’t hesitate to reach out! The best places to ask questions are the cPanel Forums, our directly to our support team. You can also join us in our Slack or Discord channels, or even ask on our subreddit!cPanel is a control panel for Web Hosting Providers available here – Cloud Server cPanel. Contact us to find out our latest offers!