Other official information and services: www.belgium.be

Warning: CVE-2023-29489 cPanel reflected cross-site scripting vulnerability

Référence:

Advisory #2023-047

Version:

1.0

Logiciels concernés :

cPanel

Type:

Reflected XXS

CVE/CVSS:

CVE-2023-29489, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L (6.3)

Date:

28/04/2023

Sources

Official manufacturer: https://forums.cpanel.net/threads/cpanel-tsr-2023-0001-full-disclosure.7... (SEC-699)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-29489

Risques

An attacker could craft a link containing malicious JavaScript code. Should a user click on the provided link, the code supplied by the attacker will execute in the victim user's browser, in the context of their session with the application. This could lead to account compromise, session takeover, ...

In addition to this, the XSS vulnerability is exploitable regardless of whether or not the cPanel management ports (2080, 2082, 2083, 2086) are exposed externally. This means that any website on port 80 and 443 is also vulnerable to the cross-site scripting vulnerability if it is being managed by a vulnerable cPanel version.

Description

cPanel is web hosting control panel software. It provides a graphical interface (GUI) and automation tools designed to simplify the process of hosting a web site to the website owner or the end user. It enables administration through a standard web browser.

CVE-2023-29489 concerns a reflected cross-site scripting (XSS) vulnerability. Security researchers discovered the message_html variable is not properly sanitized in cPanel error pages for cpsrvd thus enabling the XSS attack. Since the default proxy rules allow the /cpanelwebcall/ directory to be accessed even on ports 80 and 443, cPanel does not need to be exposed to the internet to exploit this vulnerability.

Should a user click on a crafted link the impact of this vulnerability is execution of arbitrary JavaScript, pre-authentication, on almost every port of a webserver using cPanel within its default setup. An attacker could leverage this vulnerability to hijack a legitimate user’s cPanel session and perform administrative actions such as

access site content: web server data, databases, ...
modify site content: upload webshells, modify application to dump user passwords, ...

Actions recommandées

The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions in order to mitigate the impact of this vulnerability in the most efficient way.

Patch

A lot of the cPanel installations on the internet have cPanel’s auto-update functionality enabled, meaning that you may no longer be vulnerable without having to patch yourself since cPanel patched this end of February. If you do not have this feature set up, please consult the link provided in the reference table for instructions on how to enable it.

Should you choose not to enable the auto-update feature, please install a non-vulnerable version:

11.109.9999.116
11.108.0.13
11.106.0.18
11.102.0.31

Monitor/Detect

Since XSS example URIs are provided, the CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion. Monitor for suspicious administrator logins.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Références

Vendor KB: https://support.cpanel.net/hc/en-us/articles/360053076314-How-to-re-enab...

Security researcher: https://blog.assetnote.io/2023/04/26/xss-million-websites-cpanel/