Unixy Varnish (cPanel) -- Privilege Escalation Vulnerability

Portal Home > Knowledgebase > Articles Database > Unixy Varnish (cPanel) -- Privilege Escalation Vulnerability

Posted by Steven, 06-03-2013, 01:56 PM
Product Description: The UNIXY cPanel plugin comes with a Web interface to manage Varnish via cPanel WHM. The cPanel app takes the complexity out of Varnish in a consolidated one-stop interface. The script allows you to uninstall Varnish, modify Varnish settings, lookup caching stats, refresh the Varnish cache, restart Varnish, and much more! Vulnerability Description: Due to an ACL bypass and failure to sanitize input, the UNIXY cPanel Varnish plugin is vulnerable to a privilege escalation through the Advanced Configuration page by a malicious reseller user that would allow them to gain root access. Note: This flaw is allowed to exist because of a fundamental security failure within WHM that executes all plugins as root. Proof of Concept: Due to the nature of this vulnerability we are withholding the proof of concept until a later date to allow everyone ample time to update their software. Impact: We have deemed this vulnerability to be rated as CRITICAL due to the fact that a normal user can gain an instant root shell. Important Note: It's worth noting that the developer of this software decided deflect blame for the exploit on the fact that PHP should never be allowed under WHM for resellers. While it is true that the feature is disabled by default on new cPanel installs, there are several commonly used plugins that enable it and that running PHP under WHM is no more dangerous than the default CGI because both run as root. It is ignorant and frankly stupid to make up excuses for poor coding practices. Whether this flaw affects 1% or 100% of users, it is still a serious flaw that should never have been allowed to happen in the first place. Vulnerable Version: This vulnerability was tested against UNIXY cPanel Varnish 1.8.0-4 and is believed to exist in all prior versions. Fixed Version: This vulnerability was patched in UNIXY cPanel Varnish 1.8.0-5. Vendor Contact Timeline: 2013-05-30: Vendor contacted via email. 2013-05-30: Vendor confirms vulnerability. 2013-06-01: Vendor issues v1.8.0-5 update. 2013-06-03: Rack911 issues security advisory.
Posted by mrzippy, 06-03-2013, 02:33 PM
Thanks. I have two servers running this software and will upgrade them asap.
Posted by ServerZoo, 06-05-2013, 11:17 AM
thought I don't use this plugin, but always want to say, thank you Steven !