In this security bulletin we’ve a few things to alert you to: WHM/cPanel update release; OpenSSH is vulnerable to brute force; httpoxy bug affects CGI web applications; WordPress plugins suffer vulnerable flaws.
cPanel and WHM: Update or Else!
First, the latest WHM/cPanel release. Updates have been released for the 11.52, 11.54, 11.56 and 11.58 versions of cPanel and WHM, which cPanel reports will fix all known vulnerabilities in the software. Those users who are currently using automatic updates will have their servers updated to the new versions without any further effort. If you have disabled automatic updates on your WHM/cPanel system then we recommend that you run the update as soon as possible. Currently cPanel don’t suspect that there are exploits for the vulnerabilities in the wild, but it’s best to update before attackers stumble upon the now fixed vulnerabilities in older versions.
OpenSSH Is Vulnerable to Brute Force
Next, a new vulnerability spotted in OpenSSH. This is a method whereby an attacker is able to deduce the usernames on a system by a brute force method. In normal circumstances attackers would need to guess at usernames to use when attempting to brute force access a server via SSH. This vulnerability, however, allows attackers to discover valid usernames for a system by attempting to connect with a very large (~10KB) password and then waiting on the response from the server. A user that doesn’t exist on the server the response comes much faster than it does for a valid user due to the amount of time it takes the system to hash the long password for checking.
While this reveals the valid users on the system, the attackers then still need to brute force the password of the discovered user in order to gain access. There’s currently no update to fix this behavior, so the only solution is to work around the problem. Generally we would recommend configuring your firewall to block access to the port that SSH is running on from any IPs apart from ones you trust to connect. We would recommend using SSH keys to log in to your server, and following that up by disabling password authentication in the sshd_config file.
The httpoxy bug affects CGI web applications on various web servers. This is invoked by a malicious client sending a HTTP proxy header to the web server which then sets the HTTP_PROXY environment variable that the website software uses for further external communications. So, if the website communicates with other servers when dealing with its request for the client, then this future traffic will be sent via the maliciously set proxy value allowing the attacker to intercept communications. As with a number of bugs, along with its own name, this one gets a logo as well as its own website which outlines steps to be taken to mitigate the problem: https://httpoxy.org/
If you aren’t a developer or sysadmin and find the previous link heavy going, there’s a non-technical guide to the problems this poses in more detail here that should help. Fortunately, the mitigation steps aren’t particularly complex and on most systems are easily implementable.
WordPress Plugins Suffer Vulnerable Flaws: Update Now!
Finally, we have three new vulnerabilities in popular WordPress plugins. Ninja Forms, Icegram and WordPress Video Player have all been found to suffer various degrees of flaw from cross site scripting in Ninja Forms to SQL injection vulnerabilities in WordPress Video Player. All three plugins have had patches for these bugs released, so update them now.