PDA

Bekijk Volledige Versie : cPanel Issues Statement on Root Exploit



Domenico
23/05/13, 20:55
source: cPanel forums (https://forums.cpanel.net/f185/restoring-account-backup-packages-unknown-untrusted-sources-347802.html), Pingzine (http://www.pingzine.com/cpanel-issues-statement-on-root-exploit-25113/)

Restoring account backup packages from unknown, or untrusted, sources


We’ve been getting some interesting and valuable feedback from the cPanel Community recently concerning the security model used by the transfer and backup restore system. We’d like to address these concerns here and provide the Community with some clarity on this topic, directly from cPanel.

First, we want to highlight again, the risk of restoring account backup packages from untrusted or unknown sources. We need to ensure that everyone has the opportunity to be conscious of the security concerns associated with this process.

The account backup package system (pkgacct) is designed to transfer an account between machines inside your ecosystem. This system's primary goal is to prefer replication integrity in order to simplify the process of migrating your accounts between your servers.


In order to achieve this goal it must copy the entire account, along with its configuration, privileges, customizations, files, and permissions that the account has been granted.
The system is not designed to handle untrusted data. There are a myriad of ways a malicious user can alter an account backup package to escalate privileges, or add additional privileges to an account backup package.
We strongly recommend that you do not restore data from untrusted sources. It is for this reason that the restore system has always been limited to the root user.


It has recently been brought to our attention that the restoration of account backup packages from an untrusted or unknown source may be a more common practice then we envisioned. In addition, our warnings against doing so have been inadequate to discourage the restoration of untrusted account backup packages.

We understand the value that this workflow offers, and we want to offer a way to accomplish restoring account backup packages from untrusted sources in a more secure manner. The security and integrity of your system is very important to us.

Your feedback, along with the consideration of the desired workflow, has prompted us to reevaluate our current system and develop a new goal of delivering a more robust solution.


We will soon release an update that adds the warnings present in the CLI restorepkg script to the WHM UI. The warnings will be expanded to explain why account backup packages from untrusted sources should not be restored using the current system.
We have launched a high priority project to develop an alternate system for handling the restoration of untrusted account backup packages. This new system will restore a limited, safer subset of the data. The primary goal of the new restore tool will be to prefer the security of the restore over replication integrity. We will endeavor to provide as much of the current restore functionality with the new untrusted account backup package restore tool as possible. During the new transfer and restore process, you will be able to clearly select which system you want to use (trusted or untrusted) to restore an account backup package.
The CLI restorepkg tool will be renamed to restore_trusted_pkg. Once development of the untrusted account backup package restore system is complete, a restore_untrusted_pkg CLI tool will be added.


For the avoidance of doubt, untrusted sources means anyone you would not already trust with root access to the server.



Kenneth
Development
cPanel, Inc.

davinci
23/05/13, 22:25
It has recently been brought to our attention that the restoration of account backup packages from an untrusted or unknown source may be a more common practice then we envisioned.


Als in: je hebt je backups 'elders' staan en die blijken compromised? en die probeer je dan weer te restoren in je eigen netwerk?
Het lijkt me toch helder dat je je (offsite) backups ook goed beveiligd en dat cpanel zelf dus geen exploit bevat?

ju5t
23/05/13, 23:21
Nee, als in: je gaat een klant verhuizen naar je eigen servers en de backup wordt aangeleverd door de klant. De klant die je dus ook geen root toegang geeft tot je server. Gaat dus met name om de shared omgevingen en niet een verhuizing tussen dedicated servers of cloud servers aangezien je op dat moment toch al root toegang geeft.

Maar daar is cPanel of shared hosting niet uniek in. Hetzelfde probleem kun je ook tegen komen bij virtuele/cloud omgevingen.

dreamhost_nl
04/06/13, 14:23
Klopt, dat is ook wat ik uit het verhaal opmaak, getUP.