Exim vulnerability and cPanel patch

Update June 6, 2019: We have now released updates for the End Of Life Versions 70 and 76.

Exim is the mail server software cPanel & WHM servers use. Last week an exploit for Exim was identified, and today a patch for the exploit was released. This exploit allowed for both local and remote root-level privilege escalation. That means that you won’t need to be able to access the server as a user to exploit the server, as is the case with most security vulnerabilities that are found.

It’s possible that the update will be blocked with an error similar to this:

A system upgrade was not possible due to the following blockers:
[2019-06-07 02:02:51 +0200] W [FATAL] - You must migrate from EA3 to EA4 before upgrading to v78 or newer. You can do so by running /usr/local/cpanel/scripts/migrate_ea3_to_ea4 or via WHM’s EasyApache 4 Migration interface. For more information please see: https://go.cpanel.net/EA4Migration

If you encounter this error, you must manually adjust your /etc/cpupdate.conf file to the example below:

CPANEL=11.76
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily

Once you have completed this update (upcp) please set this back to the following:

CPANEL=release
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily

This will allow you to upgrade to newer versions of cPanel & WHM once you have migrated to EasyApache 4.

While Exim is open source software that we bundle with our software and is not built by cPanel, this vulnerability is something that we feel deserves our attention. This is an extremely rare and specific situation that has the potential to impact everyone who interacts with the internet in any way. For that reason, we have released an update to patch this vulnerability for both Version 70 and Version 76. To ensure that your server has received the patch, please update to one of the following versions:

TIERVERSION
7070.0.69
7676.0.22
7878.0.27

cPanel & WHM Versions 70 and 76 remain End of Life and will receive no other updates. This is a one-time bending of our policy, and we do not plan to pursue any other updates for these versions. We still strongly recommend that you keep your servers updated, and continue to run the most recent versions of cPanel & WHM available. 


How to Protect Yourself from Exim Vulnerabilities

The best way to protect yourself is to upgrade to a supported version of cPanel & WHM. All supported versions of cPanel & WHM are immune to the exploit. Version 80 was never vulnerable, as it included a newer (and non-vulnerable) version of Exim. Thanks in large part to the improvements we’ve made around installs and updates, we were also able to take that update from Exim, test it, and release an update for Version 78 today.

To confirm you are already running a patched version, you can run this command on the server:

rpm -q exim

The output will show you the Exim versions that are installed, and should look something like what’s below:

For Version 78: exim-4.92-1.cp1178.x86_64 
For Version 80: exim-4.92-1.cp1180.x86_64 
For Version 70 and 76: exim-4.91-4.cp1170.x86_64

cPanel & WHM Version 76 Not Patched (now patched, see above update)

cPanel & WHM Version 76 reached end of life in April of this year and was the last version to support EasyApache 3. Some hosting providers have not yet migrated to EasyApache 4, which means they are prevented from upgrading beyond Version 76. If you are using EasyApache 3, you are not only vulnerable to this exploit, but also dozens of exploits that exist in the now end-of-life versions of Apache and PHP used by EasyApache 3.

If you are concerned about migrating to EasyApache 4, you shouldn’t be! Migrating to EasyApache 4 is easy! Our Documentation breaks down all of the changes that have been made in the migration process in The EasyApache 3 to EasyApache 4 Migration Process. Any concerns about specific parts of the migration can be eased by reviewing the Current Status of EasyApache 4 documentation, which breaks down all of the bits we took into account.

Migrating can be done with the click of a button inside WHM. Just log in, go to the EasyApache 4 interface, and click Migrate. The command line steps to migrate can be found in our How to Install EasyApache 4 documentation as well. 

Current Workarounds

There are no known-good workarounds at this time. The only way to ensure that you are protected is to upgrade your server to a patched version. Both Versions 78 and 80 are patched at this time. You can also see the CVE-2019-10149 Exim page in our documentation for more information about our response. 

If you need help with any of this, don’t hesitate to reach out! The best places to ask questions are the cPanel Forums, our directly to our support team. You can also join us in our Slack or Discord channels, or even ask on our subreddit