Roundcube vulnerability

pglock

• December 07, 2016 03:16

This report carried by The Register details a major vulnerability in roundcube. Roundcube posted a patch to GitHub at the end of November, and issued a version 1.2.3 here The version installed on cp is 1.1.4-8.cp1158. Any advice on updating to a secure version?

• 

  Infopro

  • December 07, 2016 09:21

  cPanel needs to push it via cPanel updates, you shouldn't attempt to update Roundcube manually.

  0
• 

  cPanelMichael

  • December 07, 2016 12:15

  Hello @pglock, Internal case CPANEL-10239 is open to assess whether that vulnerability affects instances of Roundcube offered with cPanel, and if so, to ensure it's updated to the latest version. We'll update this thread with more information on the status of this case as it becomes available. Thank you.

  0
• 

  easyswiss

  • December 08, 2016 22:56

  Is there an update? If cPanel servers are affected.. the CVE is between 7 and 10... blog.ripstech.com/2016/roundcube-command-execution-via-email/ Requirements The vulnerability has the following requirements for exploitation: [LIST]

  Roundcube must be configured to use PHP"s mail() function (by default, if no SMTP was specified )

  PHP"s mail() function is configured to use sendmail (by default, see sendmail_path )

  PHP is configured to have safe_mode turned off (by default, see safe_mode )

  An attacker must know or guess the absolute path of the webroot These requirements are not particular demanding which in turn means that there were a lot of vulnerable systems in the wild.

  0
• 

  panayot

  • December 12, 2016 14:53

  According to /usr/local/cpanel/base/3rdparty/roundcube/config/config.inc.php Roundcube in Cpanel does not use mail() function so it should not be affected by this vulnerability

  0
• 

  cPanelMichael

  • December 12, 2016 15:30

  Roundcube must be configured to use PHP"s mail() function (by default, if no SMTP was specified )

  
  

  According to /usr/local/cpanel/base/3rdparty/roundcube/config/config.inc.php Roundcube in Cpanel does not use mail() function so it should not be affected by this vulnerability

  
  Hello, cPanel configures the local SMTP server for use in Roundcube's configuration file and thus isn't affected by this vulnerability based on the listed requirements. That said, the updated version of Roundcube is included with cPanel version 62:
  rpm -qa|grep roundcube cpanel-roundcubemail-1.2.3-1.cp1162.noarch
  Thank you.

  0
• 

  cPanelMichael

  • January 09, 2017 19:42

  Hello, To update, patched Roundcube versions are now included with cPanel version 60.0.31: Fixed case CPANEL-10401: Update cpanel-roundcubemail to 1.1.7-1.cp1158. Additionally, with cPanel version 58.0.41: Fixed case CPANEL-10321: Update cpanel-roundcubemail to 1.1.7-1.cp1158. The full Change Logs are available at: 60 Change Log - Change Logs - cPanel Documentation 58 Change Log - Change Logs - cPanel Documentation Thank you.

  0

Please sign in to leave a comment.