Situation
A combination of two vulnerabilities in the LiteSpeed cPanel plugin allowed an authenticated cPanel user to escalate privileges to root, including on servers running CloudLinux and CageFS.
Currently affected versions are v5.3.1 of the LiteSpeed WHM plugin and lower.
Impact
In order to mitigate this vulnerability further, it is recommended to disable the LiteSpeed User-End Plugin for cPanel.
Note: The LiteSpeed web service will continue to function without issue.
Call to Action
This has been resolved as of the LiteSpeed WHM plugin v5.3.2.0 (cPanel user-end plugin v2.4.8). Use the following to perform an update to LiteSpeed:
# /usr/local/lsws/admin/misc/lsup.sh
If the LiteSpeed version cannot be updated, it is recommended to remove plugin using the following command:
# /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
Comments
0 comments
Article is closed for comments.