The state of cybersecurity in 2021 and beyond is looking like it is going to be difficult and precipitous. The business economy now leans heavily on the internet for critical operations like enterprise storage, corporate communication, and utilization of the online knowledge base. To that end, a marked rise in malware detections and the unstoppable threat of ransomware are upon the entire connected industry. Additionally, cybercriminals’ attack surfaces are expanding and attack vectors are increasing in sophistication, and variety, each passing day. Evidence of this is out there, with everything from water treatment plant hacks, cryptocurrency exchange incidents, even bizarre ransomware attacks on agriculture. Furthermore, a rise in software weaknesses found in major software products in different industries is also raising eyebrows. Even the most well-established software leaders are not immune to cyber risks. Adding to that, the cyber regulations and policy environment is also going through changes. The cybersec industry is only going to grow, with billions being poured into startups, which underlines the need for high-level global cyber defense in a tumultuous time. Not only is cybersecurity a must for external threats, but organizations are quickly closing their security gaps and consolidating their personnel’s cyber awareness to future-proof their cybersecurity posture.
Speaking of security gaps, 2021 has been a notable year for software weaknesses, with several public exploits circulating in the wild. Regarding this, the very popular software control panel and web-hosting solutions company cPanel alerted users of multiple software vulnerabilities. The vulnerabilities are related to cPanel’s EasyApache-4 product. There were 3 vulnerabilities reported, one of which was classified as high-risk.
About cPanel, L.L.C
cPanel, L.L.C, established in 1996, is an American corporation that offers web hosting control panels and the respective management software for these products. cPanel is a shortened form of ‘control panel’, an interface that allows for customization and modifications to hosting accounts with InMotion Hosting. The company provides graphical interface-based solutions, as well as automation solutions that increase the efficiency of website hosting, as well as simplifying this process.
According to the official cPanel website, the company “Create an exceptional hosting experience”, and offer an “Industry-leading hosting platform with world-class support.” cPanel works with partners such as CloudLinux, Litespeed, Sectigo, WordPress, and WHMCS. The products offer a rich set of features that boost business with transfer tools, add-ons, backup, and recovery, as well as being famous in the industry for its specific graphical interface.
What is EasyApache-4?
EasyApache (EA4) is a powerful and simple-to-use tool built into WHM/cPanel that can be used to update and configure the Apache webserver. The software, according to the official website, “installs, configures, updates, and validates your web server, PHP, and the other components of your web server. EasyApache 4 represents a total overhaul of how cPanel & WHM ships and maintains our Apache and PHP distributions.”
The Software Vulnerability
On September 1st, 2021 a vulnerability release report was made public on the Newsroom section of the official cPanel website. The vulnerability report revealed several vulnerabilities, of which one was classified as high-risk (the others are medium.) The high-risk vulnerability in an unpatched system may lead to remote attacker access as well as complete system compromise.
Technical Details
The technical details surrounding the high-severity vulnerability are as follows; The vulnerability exists due to a boundary error in EVP_PKEY_decrypt() function within the implementation of the SM2 decryption. A remote attacker can send specially crafted SM2 content for decryption to trigger a buffer overflow by 62 bytes and execute arbitrary code on the target system. The CVE ID database code for this vulnerability is CVE-2021-3711.
Vulnerable Software Versions
The EasyApache-4 software versions that are vulnerable to the above issues span all of the items noted in the following list;
EasyApache: 4, 4 2017-5-16, 4 2017-6-13, 4 2017-6-21, 4 2017-7-11, 4 2017-7-18, 4 2017-8-8, 42017-8-17, 4 2017-9-6, 4 2017-9-20, 4 2017-10-3, 4 2017-10-12, 4 2017-10-16, 4 2017-10-31, 4 2017-11-7, 4 2017-11-29, 4 2017-12-5, 4 2017-12-21, 4 2018-1-9, 4 2018-1-18, 4 2018-1-25, 4 2018-2-6, 4 2018-3-6, 4 2018-3-21, 4 2018-4-3, 4 2018-5-1, 4 2018-5-22, 4 2018-5-29, 4 2018-6-19, 4 2018-6-27, 4 2018-7-18, 4 2018-7-25, 4 2018-8-14, 4 2018-8-22, 4 2018-8-29, 4 2018-9-19, 4 2018-10-10, 4 2018-10-17, 4 2018-10-31, 4 2018-11-7, 4 2018-11-14, 4 2018-12-5, 4 2018-12-11, 4 2019-1-9, 4 2019-1-16, 4 2019-1-30, 4 2019-2-6, 4 2019-2-13, 4 2019-2-20, 4 2019-3-7, 4 2019-3-13, 4 2019-4-3, 4 2019-4-9, 4 2019-4-24, 4 2019-5-8, 4 2019-5-15, 4 2019-5-29, 4 2019-6-5, 4 2019-7-3, 4 2019-7-10, 4 2019-7-24, 4 2019-8-7, 4 2019-8-21, 4 2019-9-4, 4 2019-9-17, 4 201910-2, 4 2019-10-9, 4 2019-10-23, 42019-10-30, 4 2019-11-20, 4 2019-11-26, 4 2019-12-18, 4 2019-12-23, 4 2020-1-22, 4 2020-1-29, 4 2020-2-26, 4 2020-3-18, 4 2020-3-25, 4 2020-4-1, 4 2020-4-2, 4 2020-4-8, 4 2020-4-15, 4 2020-4-22, 4 2020-5-6, 4 2020-5-21, 4 2020-6-17, 4 2020-7-1, 4 2020-7-8, 4 2020-7-15, 4 2020-7-29, 4 2020-8-5, 4 2020-8-12, 4 2020-8-26, 4 2020-9-9, 4 2020-9-23, 4 2020-9-30, 4 2020-10-7, 4 2020-10-14, 4 2020-10-28, 4 2020-11-4, 4 2020-11-11, 4 2020-12-2, 4 2020-12-9, 4 2020-12-23, 4 2021-1-13, 4 2021-2-4,4 2021-2-10, 4 2021-2-24, 4 2021-3-3, 4 2021-3-10, 4 2021-3-24, 4 2021-3-31, 4 2021-4-14, 4 2021-4-21, 4 2021-4-28, 4 2021-5-5, 4 2021-5-12, 4 2021-5-19, 4 2021-6-2, 4 2021-6-9, 4 2021-6-16, 4 2021-6-23, 4 2021-6-30, 4 2021-7-7, 4 2021-7-14, 4 2021-7-21, 4 2021-7-28, 4 2021-8-4, 4 2021-8-25, 4 20201-1-13, 4 20201-3-3.
Important User Information
Users of cPanel’s EasyApache-4 will find it useful to know that this software vulnerability issue has been addressed. It is advisable to read through this update information (update editorial team 19-05-2023: update no longer available online). In this update information, the following information is critical, “cPanel, L.L.C. has released updated RPMs for EasyApache 4 on September 1, 2021, with OpenSSL version 1.1.1l and a patch for APR version 1.7.0. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM’s Run System Update interface.”
