Multiple Vulnerabilities in cPanel/WHM

Multiple vulnerabilities have been identified in cPanel/WHM, a widely used web hosting control panel. An anonymous, remote attacker can exploit these vulnerabilities to compromise cPanel/WHM installations. The vulnerabilities allow an attacker to bypass security measures, perform Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF) attacks, disclose sensitive information, and potentially execute arbitrary code on the server. These vulnerabilities pose a significant risk to organizations relying on cPanel/WHM for web hosting, potentially leading to data breaches, service disruption, and unauthorized access to sensitive systems.

Attack Chain

1. The attacker identifies a vulnerable cPanel/WHM instance exposed to the internet.
2. The attacker crafts a malicious HTTP request exploiting an identified SSRF vulnerability to probe internal network resources.
3. Successful SSRF exploitation allows the attacker to identify internal services and gather information about the server architecture.
4. The attacker leverages an XSS vulnerability by injecting malicious JavaScript code into a cPanel/WHM page.
5. Unsuspecting users interacting with the compromised page execute the attacker’s JavaScript code.
6. The attacker uses the XSS payload to steal user session cookies or credentials.
7. The attacker uses the stolen credentials to bypass authentication and gain unauthorized access to cPanel/WHM.
8. With elevated privileges, the attacker can potentially execute arbitrary code on the server, leading to full system compromise.

Impact

Successful exploitation of these vulnerabilities can lead to severe consequences. An attacker could gain unauthorized access to sensitive data, including customer databases, configuration files, and source code. XSS attacks could deface websites and phish users. SSRF attacks can expose internal network resources. Remote code execution can lead to complete server takeover and potentially impact a large number of hosted websites and services. This can result in significant financial losses, reputational damage, and legal liabilities.

Recommendation

• Deploy the Sigma rule Detect Suspicious cPanel/WHM HTTP Request to identify potential SSRF attempts within cPanel/WHM webserver logs.
• Deploy the Sigma rule Detect cPanel/WHM XSS Attempt to detect potential XSS payloads being injected into cPanel/WHM.
• Closely monitor web server logs for unusual activity originating from cPanel/WHM servers using the webserver category.
• Implement strong input validation and output encoding to prevent XSS attacks.
• Harden cPanel/WHM configurations to restrict SSRF attack vectors and limit access to internal resources.